[OpenID] OP Endpoint URL (was: guid openid delegate)

Johnny Bufu johnny at sxip.com
Thu Sep 13 11:40:02 PDT 2007


On 13-Sep-07, at 10:36 AM, Peter Williams wrote:

> I'd avoided doing definitional analysis to date, focusing more on the
> "natural" flow of the signals in the messages with a view to
> understanding the intent of the various security controls.
>
> Let me comment on Draft #12 (hopefully usefully) now that I've paid
> attention:
>
>
>
> A "OP Endpoint URL:
>
> The URL which accepts OpenID Authentication requests, obtained by
> performing discovery on the the User-Supplied Identifier. This value
> MUST be an absolute URL."
>
> A1. (double "the" in the v12 text, note)

Fixed, thanks!

> A2. Unless discovery (via HTML or XRI resolution processes) is
> constrained to required to ultimately return an Identifier, the OP
> Endpoint URL could be sip:.... for all this definition cares. See B1
> below for possible fix

The OpenID protocol is HTTP-based (all protocol messages are REQUIRED  
to use HTTP), so this is also an overlook. Will fix together with the  
next one (thanks again!)

> A3. the definition would ideally become unhooked from both solicited
> auth and discovery, allowing for its formal involvement in unsolicited
> auth. In unsolicited auth, there is no User-Supplied Identifier, of
> course, and its not discovery which determine a final value for the OP
> Endpoint URL.

Yes, it is: 11.2 Verifying Discovered Information:

"...  the Relying Party MUST perform discovery on the Claimed  
Identifier in the response to make sure that the OP is authorized to  
make assertions about the Claimed Identifier."


> (And, the OP Endpoint is not an accepting function for an
> auth request (by definition of unsolicited auth)). See C1 for "fix".

"OpenID Authentication requests" is not intended to refer only to  
messages defined in section 9 Requesting Authentication. Rather: "all  
requests messages defined by the OpenID Authentication protocol".  
Would it be clearer like this:

"The HTTP(S) URL which accepts OpenID Authentication protocol messages"
(or any other phrasing suggestions?)

> A4. I think we have to keep OP Endpoint URL in the unsolicited Auth
> schema of definitions - as I think an unsolicited Auth with non- 
> positive
> assertions is actually allowed: one can send id_res (setupRequired)
> inviting the RP to come back to the OP EndPoint URL to have the user
> complete the setup-grade GUI.

Not sure why the OP would want to do that, rather than issuing a  
positive assertion from start. Do you see any problems?


Johnny



More information about the general mailing list