[OpenID] OpenID and HTTPS

Eric Norman ejnorman at doit.wisc.edu
Fri Feb 9 23:42:08 UTC 2007


On Feb 9, 2007, at 5:24 PM, Jonathan Daugherty wrote:

> # >I don't know what documentation you're referring to, but presumably
> # >you mean the spec; in that case, it's the RP implementation's
> # >responsibility to fail to validate the supplied certificate in the
> # >case you mentioned.
> #
> # I think what you're saying is that (2) applies according to the spec
> # and therefore that users MUST NOT say https when supplying their
> # OpenID URL or that form if they want their login to succeed.
>
> I don't think what users do is in scope for the spec.  Requiring the
> RP to fail on an invalid cert protects against both user and OP
> mistakes.

OK, I'll add something about this to the user-experience wiki.

Eric Norman




More information about the general mailing list