2009/1/7 David Fuelling <sappe...@gmail.com>:
> All,
> Wondering if anybody, especially the original OIDF Board and any
> contributor's to the OpenID Auth 2.0 spec could comment on this question for
> me.
> Is OpenID Discovery, as seen in section 7.3 of the Auth spec, optional?
> More specifically, is the information returned by discovery meant to be
> Authoritative for a particular OpenID or OP Endpoint, or is it merely meant
> to be "Informative".

This seems like a bit of a weird question to me.  The way the OpenID
is structured, I can easily write an OpenID server that will respond
with properly signed positive assertion responses for identity URLs
that I don't control, should an RP decide to talk to it.

This won't help me impersonate anyone to an RP though because the
discovery information doesn't point to my server.  Being the link from
the identity URL to the OpenID provider, I don't see how you could
treat it as anything other than authoritative.

specs mailing list

Reply via email to