[OpenID] OpenID and HTTPS

Jonathan Daugherty cygnus at janrain.com
Fri Feb 9 23:04:44 UTC 2007

# I was hoping for something better than a guess.  I was hoping to
# attract the attention of someone who knows.
# However, assuming that the guess is correct, then the documentation
# needs to be updated, and I don't know what it should say.  Should
# the documentation say (1) if the http://user.domain... form of
# OpenID URL is supported by an OP, then a wild card certificate MUST
# be obtained, or (2) if that form is allowed, then "https" MUST NOT
# be used when supplying an OpenID URL.  Either one seems to have
# security or cost ramifications that should be mentioned.

I don't know what documentation you're referring to, but presumably
you mean the spec; in that case, it's the RP implementation's
responsibility to fail to validate the supplied certificate in the
case you mentioned.

  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid

More information about the general mailing list