[OpenID] Shared Secrets in the clear (Was: What's broken in OpenID 2.0? (IIW session))
John Panzer
jpanzer at aol.net
Wed May 16 17:57:18 UTC 2007
Right. So RPs are allowed to fall back to http if they don't support
https (which is our standard format) and they're allowed to push data in
the clear towards a server.
Is a server allowed to reject this, by the way? Of course this doesn't
help with the current request, which has already given away the store,
but it might discourage clients from doing this.
John
Allen Tom wrote:
> Hi John,
>
> This url would be generated by RPs that associate via HTTP without
> Diffie-Hellman, which is considered a valid use case in the current
> spec. Hopefully, nobody is actually doing this, but you never know.
>
> Allen
>
>
>
>> Allen Tom wrote:
>>
>>> Hi,
>>>
>>>
>>> Here are some example Association Requests using HTTP without Diffie
>>> Helman using some of the well known public OPs:
>>>
>>> AOL:
>>>
>>>
> http://api.screenname.aol.com/auth/openidServer?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=associate&openid.session_type=no-encryption
>
>>>
>>>
>> When would this URL be generated? (The normal mode is of course to use
>> HTTPS.) Sorry, I missed the session yesterday.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070516/b9e8f88b/attachment-0002.htm>
More information about the general
mailing list