Re: CLARIFICATION: Is OpenID Discovery Optional?

[James Henstridge]

2009/1/7 David Fuelling :
> All,
>
> Wondering if anybody, especially the original OIDF Board and any
> contributor's to the OpenID Auth 2.0 spec could comment on this question for
> me.
>
> Is OpenID Discovery, as seen in section 7.3 of the Auth spec, optional?
> More specifically, is the information returned by discovery meant to be
> Authoritative for a particular OpenID or OP Endpoint, or is it merely meant
> to be "Informative".

This seems like a bit of a weird question to me.  The way the OpenID
is structured, I can easily write an OpenID server that will respond
with properly signed positive assertion responses for identity URLs
that I don't control, should an RP decide to talk to it.

This won't help me impersonate anyone to an RP though because the
discovery information doesn't point to my server.  Being the link from
the identity URL to the OpenID provider, I don't see how you could
treat it as anything other than authoritative.

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

CLARIFICATION: Is OpenID Discovery Optional?

[David Fuelling]

All,

Wondering if anybody, especially the original OIDF Board and any
contributor's to the OpenID Auth 2.0 spec could comment on this question for
me.

*Is OpenID Discovery, as seen in section 7.3 of the Auth spec, optional?
More specifically, is the information returned by discovery meant to be
Authoritative for a particular OpenID or OP Endpoint, or is it merely meant
to be "Informative".
*
Thanks!

David

ps - for those interested, see the other mail-list thread entitled, "DISCUSSION
relating to OpenID Discovery 2.1" for more fine-grained details surrounding
this question and it's possible answers.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs