At 2:16 AM -0700 4/26/09, Santosh Rajan wrote:
In that case the spec could have specified "http" only without the user having to know.
The user DOESN'T have to know. RP's "in the wild" today have shown me "shadowsinthegarden.com" as my OpenID, even though internally they are surely prefixing this with the protocol.
Because discovery does not require https or anything else.
It sure does if you want security through trust :p (I know, I know; "OpenID is about identity, not trust." But still.) At 7:17 AM -0700 4/26/09, Andrew Arnott wrote:
Shade, why make the user add #secure to their URI, Shade? Why not just have them prefix their identifier with "https://" like every other RP?
To clarify: they *may* use the full address if they so desire. If they find this confusing, though, or happen to forget; they *may* find such an alternative more convenient. I won't remove the "https://" if they omit "#secure"; I'll just *add* it (replacing "http://" if necessary) if they *do* add that argument.
-Shade _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs