[OpenID] Privacy Concern with Simple Registration Extension
Drummond Reed
drummond.reed at cordance.net
Fri Dec 1 02:11:51 UTC 2006
Kay,
I'm not knowledgeable in the simple-reg extension, but I'm suspecting you
haven't received an answer yet because so many OpenID developers are tied up
trying to complete code for Internet Identity Workshop next week
(http://www.windley.com/events/iiw2006b/announcement).
I believe the answer is "Yes", if the OP wants to help protect the user's
privacy, the OP needs to check to see if the return_to URL is https, and
warn the user otherwise.
I hope David, Josh, Kevin, or someone who knows this extension well can jump
in here and confirm.
=Drummond
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Kay Lee
Sent: Wednesday, November 29, 2006 12:13 AM
To: general at openid.net
Subject: Privacy Concern with Simple Registration Extension
Hi members.
I'm testing the Simple Registration Extension to support with our
OpenID provider.
recently I have found that in the response from server, via browser,
to the consumer with mode 'id_res' normal response for request with
registration field required, the user's registration field, such that
e-mail, nickname, ... are transferred in just http GET parameter.
Uhm.... and the return_to URL consumer provided was not https. I think
there is a danger to expose the user's field. Do I must check whether
the consumer's return_to URL is https ???
http://openid.net/specs/openid-simple-registration-extension-1_0.html
Sincerely. Kay.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list