trust root sanity

Brian Ellin brian at
Tue Jun 21 17:56:26 PDT 2005

Hello Open Id Folks,

I'm writing some trust root code, and reading from the version 0 spec:

"You can try to pass things like http://*.com/ or http://*, but
any respectable identity server will protect their users from that."

So what exactly is a sane trust root?  Is there any reasonable way of
determining trust root sanity, and at what point do we leave it in the
user's hands?

For example is the large umbrella of http://* sane?  
What about just private schools in va: http://* ?

In my opinion, neither of the above examples are sane, but how could the
server possibly know?

Brian Ellin

More information about the yadis mailing list