Field separators
Brad Fitzpatrick
brad at danga.com
Sun Jun 5 15:04:18 PDT 2005
Cool.
On Sun, 5 Jun 2005, Paul Crowley wrote:
> > How about this:
> >
> > openid.signature_is_over=return_to,assert_identity,foo,bar
>
> This has to be an implicit part of what is signed, or as I said, an
> attacker could substitute one from the other by mis-reporting what
> fields the server asserted are present. So the token contents becomes
> something like
>
> * 'assert_identity'
> * 'valid_from,valid_to,assert_identity,return_to'
> * valid_from
> * valid_to
> * assert_identity
> * return_to
>
> That's fine, and much simpler. Cool.
>
> I prefer newline termination to newline separation here, BTW. Not a
> cryptographic thing of course, just a matter of taste.
> --
> __
> \/ o\ Paul Crowley, paul at ciphergoth.org
> /\__/ http://www.ciphergoth.org/
>
>
More information about the yadis
mailing list