IdP's Advertising Both http and https
Dick Hardt
dick at sxip.com
Sun Nov 12 23:12:32 UTC 2006
On 9-Nov-06, at 7:45 AM, Rowan Kerr wrote:
> On Wed, 2006-11-08 at 00:42 -0800, Dick Hardt wrote:
>>> -----Original Message-----
>>> From: Recordon, David
>>>
>>> But the security warnings will still exist:
>>> - RP redirects me to http on IdP
>>> - IdP redirects me to https on IdP for login page (warning)
>>
>> no warning on GET redirects
>
> If GET is going to be an acceptable method for responses, the spec
> should be updated. Section 5.2.1. HTTP Redirect states:
>
> This method is deprecated as of OpenID Authentication version
> 2.0 though is still required for implementation to aide in
> backwards compatibility.
To clarify, the GET redirect that I am referring to is one to is to
the same host.
We moved to a POST between RP and OP so that we could move more data.
-- Dick
More information about the specs
mailing list