openid.trust_root wildcards

Martin Atkins mart at
Wed May 18 12:06:23 PDT 2005

Brad Fitzpatrick wrote:
> It's up to the identity server to do the right thing here.  It doesn't
> affect the protocol.
> I'm sure we'll build a recommended list of domain suffixes which SHOULDN'T
> be wildcarded.

Netscape's Cookie spec says:

     Only hosts within the specified domain can set a cookie for a domain
     and domains must have at least two (2) or three (3) periods in them
     to prevent domains of the form: ".com", ".edu", and "". Any
     domain that fails within one of the seven special top level domains
     listed below only require two periods. Any other domain requires at
     least three. The seven special top level domains are: "COM", "EDU",
     "NET", "ORG", "GOV", "MIL", and "INT".

Limitations of not including "museum" and "coop" aside, this seems like 
a reasonable starting point.

More information about the yadis mailing list