trust root sanity

Martin Atkins mart at
Wed Jun 22 06:31:55 PDT 2005

Brian Ellin wrote:
> Hello Open Id Folks,
> I'm writing some trust root code, and reading from the version 0 spec:
> "You can try to pass things like http://*.com/ or http://*, but
> any respectable identity server will protect their users from that."
> So what exactly is a sane trust root?  Is there any reasonable way of
> determining trust root sanity, and at what point do we leave it in the
> user's hands?
> For example is the large umbrella of http://* sane?  
> What about just private schools in va: http://* ?
> In my opinion, neither of the above examples are sane, but how could the
> server possibly know?

I raised a similar point a while back. The general consensus, I think,
was that the ID server should catch the common cases and leave the user
to notice the more esoteric ones such as your examples here. It's
unlikely that a school will be using OpenID at all, let alone trying to
attack it. ;)

I think a reasonable starting point is that anything with only one
concrete domain is bad. *.museum, *.es, *.org ... all of those bad.

You can't really do much beyond that. Any other generic scheme you can
come up with can be invalidated by a counter example. The only thing
left at this point is to hardcode knowledge about specific domains. For
example, no-one is allowed to register domains directly under .uk, so
* is bad. There are an exceptions even to that rule, though: is the UK domain registrar, and is the National
Health Service. *.???.uk being allowed isn't good enough, though,
because that would allow * Chaos.

So beyond blocking the top-level stuff, you just have to let the users
sort it out. You could perhaps help by displaying warnings but not
failing completely in suspicious-looking cases, so the user is prompted
to take extra care in checking this URL.


Another question that could be raised is whether
http://* matches .

More information about the yadis mailing list