Dmitry Shechtman wrote:
So my question stands: what should the RP's decision in case a
non-upgradeable http:// variant of the identifier is detected?
Connect only to https URLs
I am fully aware of the DNS spoofing risks, but I am also assuming no OPs
(in the wild, that is) currently satisfy this constraint
How about this one? https://certifi.ca/
(i.e. either SSL
only or TLS-upgradable identifiers).
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
