[OpenID] Mis-using generation identifiers to request SSL treatment
Martin Atkins
mart at degeneration.co.uk
Mon Nov 3 05:10:47 UTC 2008
SitG Admin wrote:
> If we can use "myid.com/me#001" to distinguish between multiple
> accounts at that Provider with "me" as the username, and this will be
> treated as a different user by the RP (even if the "#001" part isn't
> displayed), couldn't we use "#ssl=true" to let discerning RP's know
> that they should request "https://myid.com/me#ssl=true" instead of
> the regular HTTP version, and how many websites could we expect to
> choke on the '#' part?
>
I'm a bit confused as to what you're trying to achieve here. Surely the
https: URI scheme already provides a way to indicate that a URL should
be fetched over SSL?
More information about the general
mailing list