mart at degeneration.co.uk
Fri May 20 04:59:08 PDT 2005
Ask Bjørn Hansen wrote:
> On May 20, 2005, at 3:18, Martin Atkins wrote:
> Isn't it a pain (and/or flaky) to do that safely? The consumer would
> have to check the new URL/ID the identity server gives you. (Or I'd
> have my rogue ID server respond with www.yoursite.com when I told the
> consumer www.mysite.com).
The consumer has to effectively check this anyway. The last stage in
validation is for the server-side code in the consumer to fetch the
identity URL, find the identity server and request the public key.
If my rougue ID server "canonicalizes" www.me.com to
www.someoneelse.com, www.someoneelse.com (presumably) won't list my ID
server and thus the consumer will get the wrong server key and the token
validation will fail.
More information about the yadis