Super all-comprehensive specs/overview page (fwd)
Paul Crowley
paul at ciphergoth.org
Mon Jun 27 08:35:18 PDT 2005
Brad Fitzpatrick wrote:
> On Mon, 27 Jun 2005, Paul Crowley wrote:
>>The advantage of doing it this way is that the consumer makes fewer GET
>>requests.
>
> That's a big advantage!
Yes.
> Sorry -- explain to me the problem you see? (or not, if you feel it's not
> a big deal...?)
A careless consumer might cache the information that "the OpenID server
for http://bob.livejournal.com/ is
http://www.livejournal.com/openid/server.bml" after reading
"http://bob.com/". That allows bob.com to poison the cache. To avoid
these attacks, what the consumer has to record becomes more complex.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list