[OpenID] Doubts about SSL and direct requests between RP and OP
John Bradley
ve7jtb at ve7jtb.com
Wed Feb 9 13:58:12 UTC 2011
All of the providers that support theUS ICAM profile have SSL endpoints available. Others probably do but there is no guarantee.
The openID assertion is sent via redirect so it would not be safe to not validate the HMAC signature or perform direct validation.
There will be an option for verifying asymmetric signatures in openID ABC.
What is your reason for not doing an association and validating the signature that way?
John B.
On 2011-02-09, at 10:46 AM, Kleber - Corujito wrote:
> Is it possible to implement a Provider working (everything) with HTTPS?
>
> I mean not just possible, but that normal RPs will be able to use it without problems in discovery, association or direct verification.
>
> for example, a simple Java or PHP application/installation would be able to validate a ssl certificate?
>
> Thanks
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110209/1d578f53/attachment.p7s>
More information about the general
mailing list