<div dir="ltr">RPs are required to make outgoing HTTP connections, and should use a 'paranoid http library' to mitigate the issue you speak of.<br><br><div class="gmail_quote">On Wed, Jul 23, 2008 at 10:33 AM, Egon Kocjan <<a href="mailto:egon@krul.ath.cx">egon@krul.ath.cx</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello,<br>
<br>
I am new to openid, so forgive me if this will sound obvious. Let's say<br>
I have a web site and I want to support openid, so users of my site will<br>
be able login using their openid url. The trouble I see here is that my<br>
web server will have to connect to random IPs on the internet as a part<br>
of authentication process*, am I right? Is there an authentication mode,<br>
where client's browser does all the outgoing communication?<br>
<br>
* why this is a problem:<br>
- I don't want my web server to be used in ddos attacks<br>
- companies that are serious about security usually deny unrestricted<br>
outgoing connections from servers, so it's also a deployment issue<br>
<br>
Thanks,<br>
Egon<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</blockquote></div><br></div>