[OpenID] OpenID and HTTPS
cygnus at janrain.com
Fri Feb 9 23:24:22 UTC 2007
# >I don't know what documentation you're referring to, but presumably
# >you mean the spec; in that case, it's the RP implementation's
# >responsibility to fail to validate the supplied certificate in the
# >case you mentioned.
# I think what you're saying is that (2) applies according to the spec
# and therefore that users MUST NOT say https when supplying their
# OpenID URL or that form if they want their login to succeed.
I don't think what users do is in scope for the spec. Requiring the
RP to fail on an invalid cert protects against both user and OP
irc.freenode.net: cygnus in #openid
More information about the general