[OpenID] Trust + Security @ OpenID

[Peter Williams]

  " TLS (and SSL) have been hobbled by the same limitation as earlier
   versions of HTTP: the initial handshake does not specify the intended
   hostname, relying exclusively on the IP address. Using a cleartext
   HTTP/1.1 Upgrade: preamble to the TLS handshake -- choosing the
   certificates based on the initial Host: header -- will allow ISPs to
   provide secure name-based virtual hosting as well.'
 
The semantics that support your scheme - are captured in the last line. 
 
I don't know if there were patents issued on this. But, Id personally consider it an invention if someone now improved this so an OpenID is sent in place of the Host value, and certificates are then chosen with the 2 objects of (1) "strongly authenticating OpenIDs", and, (2) "securing OP discovery".
 
This is all similar in intent to that which I suggested the other week, when I suggested OP Consumers use IDP-initiated SAML protection to access the (https) personal page of the OpenIDer. The HTTP upgrade is so much cleaner an approach, and dovetails nicely with related work that the folks running the XRI proxy resolver were doing when exploiting https for secure name resolution. As the upgrade agents can be http proxies, this provides a nice framework for handling OP Consumers without http1.1 TLS upgrade native capability.
 
This whole OpenID philosophy is just so much better Secure DNS, being web-friendly. That one gets webSSO for free is an obvious advantage.
 

Sorry!  Yes.  TLS in this context means negotiating to do SSL over port
80 via HTTP 1.1 mechanisms.  Once the client and server upgrade, it's
effectively the same security as https.  Specifically the client is sent
a server certificate which proves that they are (say) foo.blogspot.com.

(If someone knows differently, please correct the above.)

-John
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general