Field separators

Paul Crowley paul at
Sun Jun 5 14:53:39 PDT 2005

> How about this:
> openid.signature_is_over=return_to,assert_identity,foo,bar

This has to be an implicit part of what is signed, or as I said, an 
attacker could substitute one from the other by mis-reporting what 
fields the server asserted are present.  So the token contents becomes 
something like

     * 'assert_identity'
     * 'valid_from,valid_to,assert_identity,return_to'
     * valid_from
     * valid_to
     * assert_identity
     * return_to

That's fine, and much simpler.  Cool.

I prefer newline termination to newline separation here, BTW.  Not a 
cryptographic thing of course, just a matter of taste.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list