Thank you for your comments, John. > In particular, if you see a 302 redirect on step (2) to an https:// URL, > ignore it (susceptible to man-in-the-middle attack).
So should we distrust identifiers that redirect via plain HTTP? > And the above applies both to an OpenID URL itself and any URLs that > resource delegates to via <link>. I don't see why delegates should get any special treatment. In fact, it looks like the security add-on should be completely delegation-blind. Regards, Dmitry =damnian _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
