[security] HTTP and HTTPS URL issue (was RE: security)
Josh Hoyt
josh at janrain.com
Fri Oct 27 19:40:14 UTC 2006
On 10/27/06, Dan Lyke <danlyke at flutterby.com> wrote:
> On Fri, 27 Oct 2006 12:11:40 -0700, Eddy Nigg (StartCom Ltd.) wrote:
> > BTW, did anybody of you notice, that the exchange of information
> > (assoc_handle / shared secret) between the RP and IDP is completely
> > optional?
>
> Yes, but that's up to the Relying Party, so if the Relying Party
> doesn't do their homework it's their own damned fault.
Um, can you explain why it's harmful?
No one seems to have made an argument to that effect.
Josh
More information about the security
mailing list