[cl-openid-devel] remaining tickets
Anton Vodonosov
avodonosov at yandex.ru
Thu Aug 14 23:51:28 UTC 2008
I am thinking of our tickets.
Initially I thought that the #12 - "openid.return_to
verification based on realm, relying party discovery"
is very important, a kind of security breach.
But does any known provider support this?
I have tried to perform Yadis discovery on blogger
and livejournal. Either I do something wrong, or the
do not list RP endpoints. Or they implement openid elder
than 2.0?
According to this -
http://wiki.openid.net/OpenIDChanges#Realm_verification
- there are some attacks possible without the realm
verification, and that is why the verification was
introduced in 2.0.
But on the other hand it is not a MUST, but 'only' SHOULD.
And I do not want our library to reject livejournal if
it does not list RP endpoints.
What do you think of this ticket importance?
#9 "Verifying the Return URL error" is important because
it is a protocol bug; but it is trivial to fix.
Thread safety is important, implementation is relatively
simple.
Remaining (#7, #8, #10, #11) are minors at the moment.
-Anton
More information about the cl-openid-devel
mailing list