[OpenID] Shared Secrets in the clear (Was: What's broken in OpenID 2.0? (IIW session))
Allen Tom
openid at allentom.com
Wed May 16 17:37:15 UTC 2007
Hi John,
This url would be generated by RPs that associate via HTTP without
Diffie-Hellman, which is considered a valid use case in the current
spec. Hopefully, nobody is actually doing this, but you never know.
Allen
> Allen Tom wrote:
> > Hi,
> >
> >
> > Here are some example Association Requests using HTTP without Diffie
> > Helman using some of the well known public OPs:
> >
> > AOL:
> >
http://api.screenname.aol.com/auth/openidServer?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=associate&openid.session_type=no-encryption
> >
> When would this URL be generated? (The normal mode is of course to use
> HTTPS.) Sorry, I missed the session yesterday.
More information about the general
mailing list