Shade,<div><br></div><div>I wouldn't worry at all about email addresses being transmitted in the clear. SMTP itself is unencrypted. If you're worried about man in the middle sniffing between OP and RP, there's no more danger there than between SMTP servers across the open Internet. </div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">2009/10/29 SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
And that other RP's won't have SSL, so they *really* won't want that data flying across the channel for malicious parties to pick up.<br>
</blockquote>
So what happens at sites that don't support HTTPS, but ask users for their email addresses?<br>
</blockquote>
<br></div>
Assuming the OP cares enough to protect their users' (contact) information, which should first be seen by not sending the users' data UNsolicited, it might provide proxy E-mail addresses through its own domain when it detects that the RP is not using SSL.<br>
<br>
-Shade<div><div></div><div class="h5"><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</div></div></blockquote></div><br></div>