trust_root
Martin Atkins
mart at degeneration.co.uk
Wed Aug 30 21:58:01 UTC 2006
Johannes Ernst wrote:
> Which reminds me that I've never quite understood what the attack is
> that the OpenID trust_root protects against. There seems to be no
> mechanism by which the user (or the IdP) could force the RP to only
> apply authentication to places covered by trust_root. And return_to
> already to where the authentication assertion goes.
>
> Anybody enlightened on this list who'd like to enlighten me? Thanks ...
>
The purpose of trust_root is so that IDPs that offer a "Yes; always"
option can apply that "always" to more than one URL. I think that's
about it.
IDPs are supposed to make sure that the return_to is "in" the trust_root
and fail if not, thus preventing other RPs from abusing that stored trust.
More information about the yadis
mailing list