<div><div class="gmail_quote">On Wed, Jan 27, 2010 at 3:28 PM, John Bradley <span dir="ltr"><<a href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">Changing openID to support artifact binding is a good long term solution. Though it is not without issues.<div><br></div><div>If RP's used SSL endpoints POST would not be an issue. (Yes artifact is better for mobile)</div>
<div><br></div><div>In the short term we can shorten AX URI, and get RP to use SSL.</div><div><br></div><div>The other alternative is to ban IE because it is the source of the 2K limit for GET.</div><div>Not a problem for FF or other browsers.</div>
</div></blockquote><div><br></div><div>John,</div><div>Remember the argument I'm making is not "how do we get GET to work better" but "how do we stop using GET and switch to POST", since that will alleviate the nonce reuse problem. Coming up with craftier ways of using GET is moving in the wrong direction IMO. I'd like to see OpenID move to an all-POST protocol, and solve the HTTP-HTTPS boundary problem. </div>
<div><br></div><div>Even with artifact binding moving the nonce outside the browser redirect URL, if only one GET is allowed because the artifact is a usable-once-only token, then it's not a GET--it's a POST by HTTP definition.</div>
</div></div>