2009/1/7 David Fuelling <sappe...@gmail.com>: > All, > > Wondering if anybody, especially the original OIDF Board and any > contributor's to the OpenID Auth 2.0 spec could comment on this question for > me. > > Is OpenID Discovery, as seen in section 7.3 of the Auth spec, optional? > More specifically, is the information returned by discovery meant to be > Authoritative for a particular OpenID or OP Endpoint, or is it merely meant > to be "Informative".
This seems like a bit of a weird question to me. The way the OpenID is structured, I can easily write an OpenID server that will respond with properly signed positive assertion responses for identity URLs that I don't control, should an RP decide to talk to it. This won't help me impersonate anyone to an RP though because the discovery information doesn't point to my server. Being the link from the identity URL to the OpenID provider, I don't see how you could treat it as anything other than authoritative. James. _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs