Andrew, I think the direction of other people on the thread is to get rid of POST in the indirect response.
POST in the direct communication will remain. Personally I think POST can work perfectly well. We are just not willing to make the changes to do it. Nat wants artifact for a bunch of reasons. I think that road is a GET response containing the artifact. Now if the Nonce is in the post response to the artefact query would that solve the nonce problem? John B. On 2010-01-27, at 9:12 PM, Breno de Medeiros wrote: > Hi Andrew, > > You raised two issues: > > 1. Nonce verification and its implications. > > 2. Using POST vs. GET as a philosophical issue of authentication protocols. > > I think because of several reasons having to do with latency, user > experience, HTTP/HTTPS boundary warnings, robustness, there will be a > lot of reluctance to move from GET to POST, so while you make a valid > philosophical argument, GET will remain the prevailing mechanism for > entire practical reasons. > > So, I propose you reboot this discussion by starting another thread on > the nonce verification problem (assuming GET is the used protocol). > > >> Even with artifact binding moving the nonce outside the browser redirect >> URL, if only one GET is allowed because the artifact is a usable-once-only >> token, then it's not a GET--it's a POST by HTTP definition. > > > > -- _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
