On 11/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > By manipulating the return_to parameter, an attacked can impersonate > another user at an RP.
it's hard to do a careful reading of your message with mhy 2-year-old playing piano in the background, but I don't think I understand your attack. I don't see any KV form strings in your description, and those are the things that get signed. In KV form, the pairs are indeed suffixed with a newline, which is the reason that newlines are not allowed. the x-www-urlencoded string: foo=bar&baz=quux looks like: foo:bar baz:quux in KV form. Am I missing something? Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs