security
Martin Atkins
mart at degeneration.co.uk
Mon Oct 23 18:51:19 UTC 2006
Chris Drake wrote:
> DH> compromised. No personal data is moved in the connection between the
> DH> user and the RP.
>
> ... except when using the Simple Registration Extension
In which case, the Simple Registration Extension rather than the Auth
2.0 spec should specify that the RP either MUST or SHOULD use SSL for
its return_to URL. That requirement does not exist for the core
authentication protocol.
You could also say that IdPs providing "simple registration" stuff
SHOULD show some kind of warning to the user if the return_to URL is not
an https URL, and MAY refuse to send the simple registration details
altogether to such RPs.
But the Simple Registration spec is able to specify this on its own,
without imposing requirements on Authentication.
More information about the general
mailing list