[OpenID] OpenID and HTTPS

Jonathan Daugherty cygnus at janrain.com
Fri Feb 9 23:24:22 UTC 2007

# >I don't know what documentation you're referring to, but presumably
# >you mean the spec; in that case, it's the RP implementation's
# >responsibility to fail to validate the supplied certificate in the
# >case you mentioned.
# I think what you're saying is that (2) applies according to the spec
# and therefore that users MUST NOT say https when supplying their
# OpenID URL or that form if they want their login to succeed.

I don't think what users do is in scope for the spec.  Requiring the
RP to fail on an invalid cert protects against both user and OP

  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid

More information about the general mailing list