[OpenID] Trust + Security @ OpenID

[Dmitry Shechtman]

Thank you for your comments, John.

> In particular, if you see a 302 redirect on step (2) to an https:// URL,
> ignore it (susceptible to man-in-the-middle attack).

So should we distrust identifiers that redirect via plain HTTP?


> And the above applies both to an OpenID URL itself and any URLs that 
> resource delegates to via <link>.

I don't see why delegates should get any special treatment. In fact, it
looks like the security add-on should be completely delegation-blind.


Regards,
Dmitry
=damnian