[OpenID] Fixing usability: can OPs indicate their claimed_id's are PPID's?
Andrew Arnott
andrewarnott at gmail.com
Fri Oct 30 14:56:52 UTC 2009
Shade,
I wouldn't worry at all about email addresses being transmitted in the
clear. SMTP itself is unencrypted. If you're worried about man in the
middle sniffing between OP and RP, there's no more danger there than between
SMTP servers across the open Internet.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
2009/10/29 SitG Admin <sysadmin at shadowsinthegarden.com>
> And that other RP's won't have SSL, so they *really* won't want that data
>>> flying across the channel for malicious parties to pick up.
>>>
>> So what happens at sites that don't support HTTPS, but ask users for their
>> email addresses?
>>
>
> Assuming the OP cares enough to protect their users' (contact) information,
> which should first be seen by not sending the users' data UNsolicited, it
> might provide proxy E-mail addresses through its own domain when it detects
> that the RP is not using SSL.
>
> -Shade
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091030/a9526464/attachment.htm>
More information about the general
mailing list