(2) If an eavesdropper can listen in on all your network traffic,
can't they see your HTTP requests to IdP and RP (and everything
else) directly?
Even setting aside the IP address versus sniffing request strings
versus sniffing responses too, you've blanked out here on the idea of
"Assume that ALL requests are protected with SSL" - it's one thing to
be blind to anything which would contradict your favored belief, but
when it starts to affect your logical faculty in other areas, you
seriously need to take a step back and detach.
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
