OpenID 2.0 draft 8 comments

Dick Hardt dick at
Sun Aug 13 16:58:12 UTC 2006

All good points Ben. Thanks for the review!

-- Dick

On 13-Aug-06, at 3:41 AM, Ben Laurie wrote:

> Security considerations should discuss the possibility of one relying
> party attempting to masquerade as the user to another relying party.
> open_id.assoc_type - should be a list of preferred algorithms, rather
> than a single one. The response should be constrained to be one of
> those in the list. Similarly other algorithm choices.
> Why are request parameters openid.<blah> and responses just <blah>?
> 8.1: you suddenly start talking about the Provider instead of the IdP.
> A.3: "...located by the identifier URL" - presumably this means
> http[s]:// It would be clearer to say so.
> A.2 would be a much more useful example if the entire process of
> retrieving "the XRDS file" and authenticating it were shown. Similarly
> for A.3.
> Appendix B claims to be a confirmed prime - sez who? Where's the  
> proof?

More information about the yadis mailing list