On 17-Oct-07, at 2:42 AM, James Henstridge wrote:

> The next one is not so much a question as an observation: As an
> identity URL may change its delegation over time (possibly without the
> underlying OP's knowledge), it is possible that an RP will receive
> updates from an OP that is not authoritative for the claimed ID.
>
> So in addition to checking the signature on the unsolicited OpenID
> response, an RP must perform discovery on the claimed ID to verify
> that the OP is correct.  I could imagine an RP missing this step when
> implementing the spec.

Checking the signature and discovered information are requirements in  
the core OpenID protocol.

See 11.  Verifying Assertions :
http://openid.net/specs/openid-authentication-2_0-12.html#verification

Johnny

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to