On 24-May-07, at 8:19 AM, Peter Watkins wrote:

> Section 11.2 states
> "If the Claimed Identifier was not present in the request  
> ("openid.identity" was "http://specs.openid.net/auth/2.0/ 
> identifier_select"), the Relying Party MUST perform discovery on  
> the Claimed Identifier in the response to make sure that the OP is  
> authorized to make assertions about the Claimed Identifier."
> It then goes on to illustrate how an XRDS document could be constucted
> for verifying an OP's authority in such a post-assertion discovery
> process. It would seem logical that HTML discovery should be an option
> here, and that a confirming HTML document would include the usual LINK
> elements. For instance, if the OP Endpoint URL was https:// 
> id.plumbers.co/
> and the identifier in the assertion was https://id.plumbers.co/ 
> users/1234
> then HTML discovery for 11.2 would work by requesting the URL
> https://id.plumbers.co/users/1234 and verfiying that its HREF for
> openid2.provider was "https://id.plumbers.co/"; and the HREF for
> openid2.local_id was "https://id.plumbers.co/users/1234";.
> But as it stands, only XRDS (XRI/Yadis?) post-assertion discovery  
> is discussed.
> Shouldn't the spec clarify what is required for an HTML discovery to
> uphold an assertion that triggers 11.2's discovery process?

Section 11 is, again, about how RPs consume the assertions;  
specifically, it explains how the mappings between discovered  
information and assertion data must be checked.

Discovery is covered in detail in section 7.3 (and referenced from  
section 11). If we go into too many details about discovery in  
section 11, it may lead readers to believe that is the authoritative  
section about discovery, and possibly overlook important items  
specified in section 7.3 (not to mention adding to the perceived  
"complexity" of the spec...) That's why a short, non-normative  
example was preferred in that place.


specs mailing list

Reply via email to