[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Peter Watkins
peterw at tux.org
Sat Jan 3 15:27:59 UTC 2009
On Sat, Jan 03, 2009 at 10:46:27AM +0200, Martin Paljak wrote:
> Leaving browsers and coming back to OpenID, I would like to propose to
> set some common SSL related best practices for public RP-s in stage 1
> and in stage 2 make it easy for admins and integrators by trying to
> bring the SSL related tunables into a API config file or something
> similar. At least make the problem, solutions and related variables
> visible.
I think some "best practices" documentation is a very good idea, and
bringing up these PKI issues would be great.
As for configuration, that's an implementation question, and OpenID is
just a protocol. I'm sure that implementors would welcome your patches
providing such config options, but it seems out of scope for the
actual protocol. It's mission creep. What's next, specfying that RP-OP
communication cannot use Keep Alive? Forbidding the use of paging
memory to disk?
-Peter
More information about the general
mailing list