[OpenID] OpenID and HTTPS
ejnorman at doit.wisc.edu
Fri Feb 9 23:42:08 UTC 2007
On Feb 9, 2007, at 5:24 PM, Jonathan Daugherty wrote:
> # >I don't know what documentation you're referring to, but presumably
> # >you mean the spec; in that case, it's the RP implementation's
> # >responsibility to fail to validate the supplied certificate in the
> # >case you mentioned.
> # I think what you're saying is that (2) applies according to the spec
> # and therefore that users MUST NOT say https when supplying their
> # OpenID URL or that form if they want their login to succeed.
> I don't think what users do is in scope for the spec. Requiring the
> RP to fail on an invalid cert protects against both user and OP
OK, I'll add something about this to the user-experience wiki.
More information about the general