On Wed, May 14, 2008 at 11:20 AM, Martin Atkins <[EMAIL PROTECTED]> wrote: > * The RP, when verifying that the openid.claimed_id URL in the > assertion is valid, checks only that the openid2.provider value is > correct, and doesn't check that the openid2.local_id value matches > (after removing the fragment part) the openid2.identity URL. [...] > > Both of the above are currently allowed by the Auth 2.0 spec, but since > doing the above checks doesn't seem to remove any useful possibilities, > I think there ought to be some sort of errata that requires the checks > I've listed above.
The "Verifying Discovered Information" section[1] of the OpenID 2.0 Authentication spec is actually pretty explicit about the fact that the relying party needs to verify this: "If the Claimed Identifier is included in the assertion, it MUST have been discovered by the Relying Party and the information in the assertion MUST be present in the discovered information." It then goes on to list the information that must be verified. I think this is already covered. Josh http://openid.net/specs/openid-authentication-2_0.html#verify_disco _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs