Hi Andrew, You raised two issues:
1. Nonce verification and its implications. 2. Using POST vs. GET as a philosophical issue of authentication protocols. I think because of several reasons having to do with latency, user experience, HTTP/HTTPS boundary warnings, robustness, there will be a lot of reluctance to move from GET to POST, so while you make a valid philosophical argument, GET will remain the prevailing mechanism for entire practical reasons. So, I propose you reboot this discussion by starting another thread on the nonce verification problem (assuming GET is the used protocol). > Even with artifact binding moving the nonce outside the browser redirect > URL, if only one GET is allowed because the artifact is a usable-once-only > token, then it's not a GET--it's a POST by HTTP definition. -- _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
