[OpenID] Trust + Security @ OpenID
Dmitry Shechtman
damnian at gmail.com
Thu Jul 19 17:51:50 UTC 2007
Thank you for your comments, John.
> In particular, if you see a 302 redirect on step (2) to an https:// URL,
> ignore it (susceptible to man-in-the-middle attack).
So should we distrust identifiers that redirect via plain HTTP?
> And the above applies both to an OpenID URL itself and any URLs that
> resource delegates to via <link>.
I don't see why delegates should get any special treatment. In fact, it
looks like the security add-on should be completely delegation-blind.
Regards,
Dmitry
=damnian
More information about the general
mailing list