On 17-Oct-07, at 2:42 AM, James Henstridge wrote: > The next one is not so much a question as an observation: As an > identity URL may change its delegation over time (possibly without the > underlying OP's knowledge), it is possible that an RP will receive > updates from an OP that is not authoritative for the claimed ID. > > So in addition to checking the signature on the unsolicited OpenID > response, an RP must perform discovery on the claimed ID to verify > that the OP is correct. I could imagine an RP missing this step when > implementing the spec.
Checking the signature and discovered information are requirements in the core OpenID protocol. See 11. Verifying Assertions : http://openid.net/specs/openid-authentication-2_0-12.html#verification Johnny _______________________________________________ specs mailing list email@example.com http://openid.net/mailman/listinfo/specs