[security] HTTP and HTTPS URL issue (was RE: security)
Dan Lyke
danlyke at flutterby.com
Fri Oct 27 19:27:01 UTC 2006
On Fri, 27 Oct 2006 12:11:40 -0700, Eddy Nigg (StartCom Ltd.) wrote:
> BTW, did anybody of you notice, that the exchange of information
> (assoc_handle / shared secret) between the RP and IDP is completely
> optional?
Yes, but that's up to the Relying Party, so if the Relying Party
doesn't do their homework it's their own damned fault.
I might support stronger language to the effect of "if you've decided
to shoot yourself in the foot, you might want to take a moment to
contemplate life without toes", but the Relying Party can also just
take the OpenID that the user enters and say "Woohoo! I've got me an
ID!" without going through all the rest of that pesky checking with
the Identity Provider stuff, too.
Dan
More information about the security
mailing list