On 10/12/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > I am ok with this as long as the return_to parameter continues to be > signed, otherwise it is open to reuse attacks.
Yes, I agree with this analysis (for stateless RPs). It is important that the return_to URL remain signed. > I think that Hans had issues with the IdP signing arbitrary data, > which is possible since anything could be stuck in the return_to > parameter That was my thought, too. Hans? > Another advantage of having the request_nonce being a separate value > is the IdP can make sure it is not processing requests multiple > times, but this is only useful when the request is signed -- perhaps > this parameter is best left to the highly anticipated, upcoming RP > Identity extension? ;-) Agreed here, as well. Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs