Recordon, David <drecordon at verisign.com> schrieb/wrote: > +1, any OP worth its code will use HTTPS when working with passwords or user data. That does not help if a rouge RP sends the user elsewhere and the MITM provides a valid SSL certificate for his "lookalike" domain name. Claus