[OpenID] Mis-using generation identifiers to request SSL treatment
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Nov 3 02:24:27 UTC 2008
If we can use "myid.com/me#001" to distinguish between multiple
accounts at that Provider with "me" as the username, and this will be
treated as a different user by the RP (even if the "#001" part isn't
displayed), couldn't we use "#ssl=true" to let discerning RP's know
that they should request "https://myid.com/me#ssl=true" instead of
the regular HTTP version, and how many websites could we expect to
choke on the '#' part?
-Shade
More information about the general
mailing list