<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Pat Patterson wrote:
<blockquote cite="mid:FCC18218-F852-4F79-BB3A-04FAD799055D@Sun.COM"
type="cite">
<div>
<div>
<div><br class="khtml-block-placeholder">
</div>
<div>On the other hand, let's say I compromise the someidp.com web
site. Again, if an RP does discovery on <a moz-do-not-send="true"
href="http://eddy.someidp.com">http://eddy.someidp.com</a>, I am free
to send the RP anywhere I like, http or https.</div>
</div>
</div>
</blockquote>
Correct. This is one of the reasons why I personally lobby for a
minimal requirement standard for operating OpenID providers (or
something along this lines). In order to minimize the chance for
compromise of providers.<br>
<blockquote cite="mid:FCC18218-F852-4F79-BB3A-04FAD799055D@Sun.COM"
type="cite">
<div>
<div>
<div><br class="khtml-block-placeholder">
</div>
<div>As far as I can see, it's only by the RP doing discovery on <a
moz-do-not-send="true" href="https://eddy.someidp.com">https://eddy.someidp.com</a>
that he gains any benefit from HTTPS.</div>
</div>
</div>
</blockquote>
Absolutely! And certificates should be issued by CAs known to issue
only to domain owners (e.g. minimum domain validated), otherwise there
isn't any benefit either. <br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>