OpenID best implementation practices?

[Johannes Ernst]

Could anybody who has already / has attempted to implement OpenID  
share best practices? Or does such a document exist already, in which  
case I'd be grateful if somebody could point me in the right direction.

More specifically, I'm interested in the following questions:

1) is there a "best practice" that OpenID implementations should  
follow in order to avoid replay attacks? I suspect the trick is to  
create a Relying Party (aka return_to) URL that contains a nonce, and  
track the uses of that nonce?

E.g. if the Relying Party is
     http://rp.example.com
use
    http://rp.example.com?my-nonce=<random-number>
as the return_to URL in the forward leg of the authentication, and  
check the my-nonce parameter on the return leg for whether or not it  
was taken already?

Does that mean we could use the same mechanism that we are using in  
LID, or is a different approach more appropriate for OpenID?

2) is there a "best practice" for single sign-OUT (not -IN). It is  
relatively straightforward to keep track of all the Relying Parties  
at which I have authenticated during the current session, but other  
than visiting each of them manually and looking for the OpenID Logout  
button on each of them, can I automate this from one big button "log  
out everywhere"?

3) Is the threat model against OpenID documented somewhere? I'm  
missing the rationale for some of the URL arguments, such as why  
openid.return_to is returned on the back leg of the authentication  
redirects, or why some of fields should or should not be signed.

Of course, everybody might be on vacation ...




Johannes Ernst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20051228/736f91f6/lid.gif
-------------- next part --------------
  http://netmesh.info/jernst