Allen,
On 5/29/07, Allen Tom [EMAIL PROTECTED] wrote:
From an implementation perspective, it might make sense for the OP to
verify the RP during the association request, so that the association
handle is only returned after the RP has been verified.
Were you concerned about implementation
Hi Josh,
Having the OP verify the realm/return_to as part of the Authentication
Request is fine. OPs should cache the verifcation status to reduce
latency for RPs that send many users to the OP.
At least from my perspective, it always seemed odd that the Association
Request is just an interface
Josh,
On 24-May-07, at 4:19 PM, Josh Hoyt wrote:
Please review the additions. If you'd like to see the
specific changes, you can look at the diffs in revision control[3].
Looks good to me. One minor issue about the wording - we have now two
return URL verifications: one done by the OP and a
On 24-May-07, at 5:54 PM, Recordon, David wrote:
I guess since we're unable to fully resolve this issue from a
technical
perspective, and no I don't have a better technical solution, I'm
wondering if this should actually be an extension to the core protocol
versus seeming like a
Hello,
I've added a section to the specification[1] about performing
verification on the realm to avoid realm spoofing. In short, realm
spoofing is the problem of exploiting a bug on a site that a user
would trust to trick them into sending their information to a site
that they would not trust.
it. In some senses I see this as a larger problem
around trust of Relying Parties.
--David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Josh Hoyt
Sent: Thursday, May 24, 2007 4:19 PM
To: OpenID specs list
Subject: Realm spoofing spec patch
Hello,
I've