[Code] Encrypting communication between the OP and the RP
Andrew Arnott
andrewarnott at gmail.com
Fri Apr 13 00:51:02 UTC 2012
As long as you don't mind the user who is logging in observing the data
(not usually considered a problem) then SSL should be fine. And yes,
requireSsl=true is a good setting to enforce this.
Sent from my Windows Phone
------------------------------
From: Russ Ferrill
Sent: 4/12/2012 1:05 PM
To: openid-code at lists.openid.net
Subject: [Code] Encrypting communication between the OP and the RP
Hello,
I am implementing an Open ID provider using the DNOA code. I want to be
sure that the communication between the OP and the RP is secure. I’m only
concerned about authentication requests and authentication responses. As
far as I can tell from looking at the code this is all “indirect”
communication accomplished by redirecting the end-user’s browser. I want to
be sure that the data included in the authentication request and the
authentication response is encrypted. In order to accomplish this, do I
have to do anything other than make the OP endpoint an https url protected
by SSL? Would it be a good idea to set the require ssl configuration values
to true? Is there anything else specific to the DNOA code that I need to
configure or modify in order to support this?
Thanks.
Russ Ferrill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20120412/15523f18/attachment.html>
More information about the Code
mailing list