On 17-Oct-07, at 2:42 AM, James Henstridge wrote:

> The next one is not so much a question as an observation: As an
> identity URL may change its delegation over time (possibly without the
> underlying OP's knowledge), it is possible that an RP will receive
> updates from an OP that is not authoritative for the claimed ID.
> So in addition to checking the signature on the unsolicited OpenID
> response, an RP must perform discovery on the claimed ID to verify
> that the OP is correct.  I could imagine an RP missing this step when
> implementing the spec.

Checking the signature and discovered information are requirements in  
the core OpenID protocol.

See 11.  Verifying Assertions :


specs mailing list

Reply via email to