OpenID 2.0 draft 8 comments
Ben Laurie
benl at google.com
Sun Aug 13 10:41:31 UTC 2006
Security considerations should discuss the possibility of one relying
party attempting to masquerade as the user to another relying party.
open_id.assoc_type - should be a list of preferred algorithms, rather
than a single one. The response should be constrained to be one of
those in the list. Similarly other algorithm choices.
Why are request parameters openid.<blah> and responses just <blah>?
8.1: you suddenly start talking about the Provider instead of the IdP.
A.3: "...located by the identifier URL" - presumably this means
http[s]://www.example.com/? It would be clearer to say so.
A.2 would be a much more useful example if the entire process of
retrieving "the XRDS file" and authenticating it were shown. Similarly
for A.3.
Appendix B claims to be a confirmed prime - sez who? Where's the proof?
More information about the yadis
mailing list