OpenID 2.0 draft 8 comments

Ben Laurie benl at
Sun Aug 13 10:41:31 UTC 2006

Security considerations should discuss the possibility of one relying
party attempting to masquerade as the user to another relying party.

open_id.assoc_type - should be a list of preferred algorithms, rather
than a single one. The response should be constrained to be one of
those in the list. Similarly other algorithm choices.

Why are request parameters openid.<blah> and responses just <blah>?

8.1: you suddenly start talking about the Provider instead of the IdP.

A.3: "...located by the identifier URL" - presumably this means
http[s]:// It would be clearer to say so.

A.2 would be a much more useful example if the entire process of
retrieving "the XRDS file" and authenticating it were shown. Similarly
for A.3.

Appendix B claims to be a confirmed prime - sez who? Where's the proof?

More information about the yadis mailing list