<br><br><div class="gmail_quote">On Sun, Nov 30, 2008 at 3:07 PM, Manger, James H <span dir="ltr"><<a href="mailto:James.H.Manger@team.telstra.com">James.H.Manger@team.telstra.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
> here is a non-security reason [for openid.oauth.consumer in the response]:<br>
<div class="Ih2E3d">> Imagine the Consumer controlling more than<br>
> one consumer key, and also imagine that the consumer is implemented as a<br>
> server farms of thousands of machines. The machine receiving the response<br>
> is not necessarily the same machine as the machine that made the request,<br>
> and it response-receiver needs to know the context of the request.<br>
<br>
<br>
</div>The openid.return_to parameter is already available to relay RP context from a request to a response. Adding second way to do the same thing does not help. An app can, for instance, use<br>
openid.return_to=<a href="https://example.com/rp?contex=26532" target="_blank">https://example.com/rp?contex=26532</a><br>
<br>
Returning openid.oauth.consumer and openid.oauth.scope cannot help if<br>
apps are not doing anything with them (and the draft spec doesn't suggest<br>
doing anything). If a paranoid crypto geek in future finds a reason to<br>
return the parameters the apps built before that point will still be broken.<br>
<div class="Ih2E3d"></div></blockquote><div><br>Reviving this thread. <br><br>I think you're right. I'm removing the consumer parameter from the response. I have posted a new version of the spec on <a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html</a><br>
<br>Dirk.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
<br>
<br>
>> Is the app supposed to check that the value in the response matches the<br>
>> value in the request?<br>
>> Are there security implications of not doing the check?<br>
>> I suspect it can be omitted (openid.return_to is still present and signed<br>
>> if the app want to confirm the response is meant for itself).<br>
<br>
</div><font color="#888888">James Manger<br>
</font><div><div></div><div class="Wj3C7c">_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@openid.net">specs@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
</div></div></blockquote></div><br>