Field separators

Brad Fitzpatrick brad at danga.com
Sun Jun 5 15:04:18 PDT 2005


Cool.

On Sun, 5 Jun 2005, Paul Crowley wrote:

> > How about this:
> >
> > openid.signature_is_over=return_to,assert_identity,foo,bar
>
> This has to be an implicit part of what is signed, or as I said, an
> attacker could substitute one from the other by mis-reporting what
> fields the server asserted are present.  So the token contents becomes
> something like
>
>      * 'assert_identity'
>      * 'valid_from,valid_to,assert_identity,return_to'
>      * valid_from
>      * valid_to
>      * assert_identity
>      * return_to
>
> That's fine, and much simpler.  Cool.
>
> I prefer newline termination to newline separation here, BTW.  Not a
> cryptographic thing of course, just a matter of taste.
> --
>    __
> \/ o\ Paul Crowley, paul at ciphergoth.org
> /\__/ http://www.ciphergoth.org/
>
>


More information about the yadis mailing list