Hi all - Before I get started I agree that in an ideal world, we¹d have full end to end SSL, old browsers would be banned, and we¹d POST data.
However, requiring RPs to support SSL isn¹t going to help adoption and is deal breaker for most applications that want to use OpenID today. Encouraging RPs to use SSL is a great idea but it should not be required. Although most browsers can support URLs > 2KB, some proxy servers choke on URLs > 2KB. This is not fun to debug. In practice, enforcing the nonce only gives the illusion of additional security. If there¹s a MITM, instead of replaying (or pre-playing) the assertion, the attacker will just steal the browser cookies instead. Assertions should have a limited lifetime but this can be enforced by checking the timestamp and allowing for a narrow replay window. POST is technically the ideal solution, but results in a degraded UX. The proprietary market leaders have set the bar very high and we need to offer an open alternative that is just as good, if not better. We really aren¹t going to get anywhere with a clunky UX. POST adds additional latency, and can cause strange warnings and a blank interstitial (the self submitting form). I really would like to be able to return an assertion using AX with a lot of attributes, and Hybrid that can fit within the 2KB limit. This is needed just to reach parity with the proprietary stuff. Allen
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
