IdP's Advertising Both http and https
Rowan Kerr
rowan at standardinteractive.com
Thu Nov 9 15:45:23 UTC 2006
On Wed, 2006-11-08 at 00:42 -0800, Dick Hardt wrote:
> > -----Original Message-----
> > From: Recordon, David
> >
> > But the security warnings will still exist:
> > - RP redirects me to http on IdP
> > - IdP redirects me to https on IdP for login page (warning)
>
> no warning on GET redirects
If GET is going to be an acceptable method for responses, the spec
should be updated. Section 5.2.1. HTTP Redirect states:
This method is deprecated as of OpenID Authentication version
2.0 though is still required for implementation to aide in
backwards compatibility.
Yes/no?
-Rowan
More information about the specs
mailing list