Field separators
Paul Crowley
paul at ciphergoth.org
Sun Jun 5 14:53:39 PDT 2005
> How about this:
>
> openid.signature_is_over=return_to,assert_identity,foo,bar
This has to be an implicit part of what is signed, or as I said, an
attacker could substitute one from the other by mis-reporting what
fields the server asserted are present. So the token contents becomes
something like
* 'assert_identity'
* 'valid_from,valid_to,assert_identity,return_to'
* valid_from
* valid_to
* assert_identity
* return_to
That's fine, and much simpler. Cool.
I prefer newline termination to newline separation here, BTW. Not a
cryptographic thing of course, just a matter of taste.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list