[dix] Re: Gathering requirements for in-browser OpenID support
Mike Glover
mpg4 at janrain.com
Wed Oct 18 18:01:59 UTC 2006
Pete-
Why do you have to trust the RP at all? All the RP ever sees is an assertion that you control the identity URL that you provided. Do you see a vulnerability that I'm missing?
-mike
On Wed, 18 Oct 2006 10:49:54 -0700
Pete Rowley <prowley at redhat.com> wrote:
I also think it _is_ a requirement that the
> browser vendors support this - right now you have to trust that the RP
> is a white hat.
>
More information about the general
mailing list