Absolutely. In fact, if part of a solution to any problem is to get all parties on SSL, then nonces can just go away -- am I right?
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Wed, Jan 27, 2010 at 4:38 PM, Breno de Medeiros <[email protected]> wrote: > > And I'm not trying to be a nit-picky HTTP purist here. I'm talking about > > real-world problems from browsers, plugins, and/or proxies that believe > GETs > > are actually side-effect free, that are causing logins to fail. > > Yep, unfortunately the user experience in POST requests is suboptimal, > so nobody is excited to move this direction. > > If the lack of effect-freeness is being manifested mostly in nonce > verification failures, then we could have a discussion around that > that might lead us somewhere. >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
