At 2:16 AM -0700 4/26/09, Santosh Rajan wrote:
In that case the spec could have specified "http" only without the user
having to know.

The user DOESN'T have to know. RP's "in the wild" today have shown me "shadowsinthegarden.com" as my OpenID, even though internally they are surely prefixing this with the protocol.

Because discovery does not require https or anything else.

It sure does if you want security through trust :p

(I know, I know; "OpenID is about identity, not trust." But still.)

At 7:17 AM -0700 4/26/09, Andrew Arnott wrote:
Shade, why make the user add #secure to their URI, Shade? Why not just have them prefix their identifier with "https://"; like every other RP?

To clarify: they *may* use the full address if they so desire. If they find this confusing, though, or happen to forget; they *may* find such an alternative more convenient. I won't remove the "https://"; if they omit "#secure"; I'll just *add* it (replacing "http://"; if necessary) if they *do* add that argument.

-Shade
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to