[OpenID] Bug in OpenID RP implementations
Eric Norman
ejnorman at doit.wisc.edu
Thu Jan 1 22:49:41 UTC 2009
On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:
> The openid 2 spec says in section 15 (a non-normative must, note):
>
> "In order to get protection from SSL, SSL must be used for all parts
> of the interaction, including interaction with the end user through
> the User-Agent."
When I include "https:" in my OpenID, I'm saying that I
want protection by SSL, right?
So if something elsewhere decides not to use SSL for
whatever reason, that would be incorrect behavior, right?
And let's not forget that the error message I quoted is
clearly inappropriate.
Eric Norman
More information about the general
mailing list