--- Comment #1 from Craig Box <>  2010-01-15 16:53:23 UTC ---
Andrew Arnott from DotNetOpenAuth has explained the situation to me here.

In summary, the RP library should stop the "ID issued in any name" case, by
signature verification, so the only thing we need to do is check that the
assertion is acceptable with the code above.  

However, we shouldn't be checking the display identifier, which can be set to
whatever you want - we should be checking the identity_url.  See

Patch forthcoming...

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Wikibugs-l mailing list

Reply via email to