<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Right. So RPs are allowed to fall back to http if they don't support
https (which is our standard format) and they're allowed to push data
in the clear towards a server.<br>
<br>
Is a server allowed to reject this, by the way? Of course this doesn't
help with the current request, which has already given away the store,
but it might discourage clients from doing this.<br>
<br>
John<br>
<br>
<br>
Allen Tom wrote:
<blockquote cite="mid1179337035.10448@moose.he.net" type="cite">
<pre wrap="">Hi John,
This url would be generated by RPs that associate via HTTP without
Diffie-Hellman, which is considered a valid use case in the current
spec. Hopefully, nobody is actually doing this, but you never know.
Allen
</pre>
<blockquote type="cite">
<pre wrap="">Allen Tom wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
Here are some example Association Requests using HTTP without Diffie
Helman using some of the well known public OPs:
AOL:
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!----><a class="moz-txt-link-freetext" href="http://api.screenname.aol.com/auth/openidServer?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=associate&openid.session_type=no-encryption">http://api.screenname.aol.com/auth/openidServer?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=associate&openid.session_type=no-encryption</a>
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">When would this URL be generated? (The normal mode is of course to use
HTTPS.) Sorry, I missed the session yesterday.
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
</body>
</html>