[OpenID] Bug in OpenID RP implementations
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Thu Jan 1 23:00:07 UTC 2009
On 01/02/2009 12:49 AM, Eric Norman:
> On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:
>
>
>> The openid 2 spec says in section 15 (a non-normative must, note):
>>
>> "In order to get protection from SSL, SSL must be used for all parts
>> of the interaction, including interaction with the end user through
>> the User-Agent."
>>
>
> When I include "https:" in my OpenID, I'm saying that I
> want protection by SSL, right?
>
Your OpenID is https:// then, it's not ncesseraly the same as http and
the other way around too. It has been many times already mentioned.
> So if something elsewhere decides not to use SSL for
> whatever reason, that would be incorrect behavior, right?
>
Correct. However an OP may return the claimed OpenID as https (there are
for example some OPs which don't do plain http, only https via redirect.
> And let's not forget that the error message I quoted is
> clearly inappropriate.
>
>
>
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090102/116b4c3f/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090102/116b4c3f/attachment-0002.bin>
More information about the general
mailing list