XAuth critiques
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Jun 8 23:05:03 UTC 2010
>(2) If an eavesdropper can listen in on all your network traffic,
>can't they see your HTTP requests to IdP and RP (and everything
>else) directly?
Even setting aside the IP address versus sniffing request strings
versus sniffing responses too, you've blanked out here on the idea of
"Assume that ALL requests are protected with SSL" - it's one thing to
be blind to anything which would contradict your favored belief, but
when it starts to affect your logical faculty in other areas, you
seriously need to take a step back and detach.
-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100608/babe2341/attachment.html>
More information about the specs
mailing list