auth response: openid.identity optional, but must be signed

Johnny Bufu johnny at sxip.com
Thu Aug 31 19:45:40 UTC 2006


Hi,

I am reading the OpenID specs, and at section "9.1 Positive  
Assertions" there is:

------------
openid.identity

Value: (optional) The Identifier about which the IdP is making a  
positive authentication assertion.

Note: The Identifier MAY be omitted if an extension is in use that  
makes the response meaningful without it.

[...]

openid.signed

Value: Comma-separated list of signed fields.

Note: Fields without the "openid." prefix that the signature covers.  
This list MUST contain at least "identity", "return_to", and "nonce".  
For example, "identity,return_to,nonce".
------------

If the identity field is optional, how should it be signed? Should it  
be attached to the string to be signed with null value, even when it  
is not part of the response?

Thanks,
Johnny


More information about the yadis mailing list