Martin Atkins mart at
Wed Aug 30 21:58:01 UTC 2006

Johannes Ernst wrote:
> Which reminds me that I've never quite understood what the attack is 
> that the OpenID trust_root protects against. There seems to be no 
> mechanism by which the user (or the IdP) could force the RP to only 
> apply authentication to places covered by trust_root. And return_to 
> already to where the authentication assertion goes.
> Anybody enlightened on this list who'd like to enlighten me? Thanks ...

The purpose of trust_root is so that IDPs that offer a "Yes; always" 
option can apply that "always" to more than one URL. I think that's 
about it.

IDPs are supposed to make sure that the return_to is "in" the trust_root 
and fail if not, thus preventing other RPs from abusing that stored trust.

More information about the yadis mailing list