OpenID 2.0 draft 8 comments

Dick Hardt dick at sxip.com
Sun Aug 13 16:58:12 UTC 2006


All good points Ben. Thanks for the review!

-- Dick

On 13-Aug-06, at 3:41 AM, Ben Laurie wrote:

> Security considerations should discuss the possibility of one relying
> party attempting to masquerade as the user to another relying party.
>
> open_id.assoc_type - should be a list of preferred algorithms, rather
> than a single one. The response should be constrained to be one of
> those in the list. Similarly other algorithm choices.
>
> Why are request parameters openid.<blah> and responses just <blah>?
>
> 8.1: you suddenly start talking about the Provider instead of the IdP.
>
> A.3: "...located by the identifier URL" - presumably this means
> http[s]://www.example.com/? It would be clearer to say so.
>
> A.2 would be a much more useful example if the entire process of
> retrieving "the XRDS file" and authenticating it were shown. Similarly
> for A.3.
>
> Appendix B claims to be a confirmed prime - sez who? Where's the  
> proof?
>
>



More information about the yadis mailing list