[Psi-devel] Fixes to XEP-0070 implementation
Remko Tronçon
remko at el-tramo.be
Tue Dec 5 13:27:48 PST 2006
> > 1) allow empty transaction id (as discussed with Remko)
>
> This is prompted by my current OpenID implementation (which I need to
> rework to fix). After the chat with Remko, I realise that transaction
> id is critical for security purposes. It should be extremely visible
> to the user in the confirmation window, and the user should be
> prompted to double check that it matches what they typed into the
> browser window.
This is why the transaction-id is obligatory. However, an empty
transaction id is a transaction id as well (albeit a bad one), just
like an empty PGP passphrase is a valid passphrase.
cheers,
Remko
More information about the psi-devel
mailing list