[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Jan 12 21:30:00 UTC 2008
What do you mean by "vhosts"? Something like user.domain.com? In which
case a wild card certificate would do the trick...but also
domain.com/user is a valid approach for openid.
Cameron King wrote:
> I'm coming into this game late, but with a heavy interest and high
> hopes - so please correct me if I say something that's too far off in
> left field.
>
> My only real concern with having https be the default protocol for
> OpenIDs is that vhosted sites who want to delegate become more
> complicated - probably requiring a plan upgrade just for that SSL and
> dedicated IP. We can't easily "autodetect" either without causing
> spoofing issues on vhosts.
>
> If all RP's accept https addresses when fully specified though, you
> might be able to get that end-to-end encryption for yourself without
> causing problems for vhosts.
>
>
> Eddy Nigg (StartCom Ltd.) wrote:
>> Well, I suggested that more than a year ago just to get booed down...it
>> really should be part of the policy
>>
>> Sean Reilly wrote:
>>>
>>> I think the point is that OpenIDs should start with https: so that
>>> there is no http->https redirection needed. If any step of the
>>> process goes through a normal http exchange/redirect then there is a
>>> weak link in the chain where a bad guy could take over the
>>> authentication.
>
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080112/3d00e99b/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080112/3d00e99b/attachment-0002.bin>
More information about the general
mailing list