[OpenID] Question regarding the OpenID Information Cards 1.0
Peter Williams
pwilliams at rapattoni.com
Wed Sep 5 02:07:56 UTC 2007
I hear what you are saying.
Something is still sticking in my gullet. One never automatically does that which an untrusted party asks you to do. One never follows a url whose form has not been subject to verification. One doesn't follow 1000 redirects each causing you to send off ssl cert chain signals about which root ca sites you trust when you follow https Redirect+1,
It just feels like the case that I'm sending you an unsolicited html email, and learn you opened it without your control over release of that fact, when your client auto follows the gif links. If we look at modern email clients we don't do that anymore. The sender has to be on a reliance list, before we allow that automatic release of ip/location and time of opening info.
But the case of openid+ cardspace sending in the auth resp ( for validation ) is really no different to the rp receiving an unsolicited auth response (without cardspace having been involved, earlier).
Ill think on this.
More information about the general
mailing list