[OpenID] OpenID and HTTPS

Eric Norman ejnorman at doit.wisc.edu
Fri Feb 9 23:23:40 UTC 2007


On Feb 9, 2007, at 5:04 PM, Jonathan Daugherty wrote:

> # I was hoping for something better than a guess.  I was hoping to
> # attract the attention of someone who knows.
> #
> # However, assuming that the guess is correct, then the documentation
> # needs to be updated, and I don't know what it should say.  Should
> # the documentation say (1) if the http://user.domain... form of
> # OpenID URL is supported by an OP, then a wild card certificate MUST
> # be obtained, or (2) if that form is allowed, then "https" MUST NOT
> # be used when supplying an OpenID URL.  Either one seems to have
> # security or cost ramifications that should be mentioned.
>
> I don't know what documentation you're referring to, but presumably
> you mean the spec; in that case, it's the RP implementation's
> responsibility to fail to validate the supplied certificate in the
> case you mentioned.

I think what you're saying is that (2) applies according to the spec
and therefore that users MUST NOT say https when supplying their
OpenID URL or that form if they want their login to succeed.

Eric Norman




More information about the general mailing list