OpenID 2.0 security considerations

Kevin Turner kevin at
Thu Aug 24 20:41:22 UTC 2006

On Wed, 2006-08-23 at 22:34 -0700, Dick Hardt wrote:
> Smart mode is hard to do with a Rich Client acting as the IdP. I  
> don't think an IdP should be required to do smart mode.

Assuming signed messages[1], normal mode and stateless mode differ
mostly in that one makes an "associate" request and the other makes a
"check_authentication" request.  But these are both direct RP to IdP
requests and both flows result in equivalent assertions, so it seems to
me that they pose equivalent obstacles in terms of moving the IdP to a
rich client.

What am I missing?

[1]: which seems a safe assumption, as signing "id_res" messages is
required for all currently specified forms of OpenID.

More information about the yadis mailing list