Martin v. Löwis <mar...@v.loewis.de> added the comment: > But does this mean that other consumers are not so strict and allow cheating?
I'm not sure how serious this is, but the OpenID spec (http://openid.net/specs/openid-authentication-2_0.html) seems to say in section 11 that this MUST be verified by the relying party ("Discovered information matches the information in the assertion"). The table in 11.2 then says that the discovered "OP Endpoint URL" must match the openid.op_endpoint field - which in your case it didn't, meaning that a protocol-conforming relying party should reject the assertion. _______________________________________________________ PSF Meta Tracker <metatrac...@psf.upfronthosting.co.za> <http://psf.upfronthosting.co.za/roundup/meta/issue462> _______________________________________________________ _______________________________________________ Tracker-discuss mailing list Tracker-discuss@python.org http://mail.python.org/mailman/listinfo/tracker-discuss
