[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Cameron King
cameron at uniquekings.com
Sun Jan 13 00:33:09 UTC 2008
By vhosts I mean name-based virtual hosting. Most hosting providers do
not give each user their own IP address and certificate. Often the
added cost of a SSL-enabled hosting plan (expecially a wildcard
certificate) can be substantial compared to the otherwise low cost of
hosting. We wouldn't want to make SSL a requirement if we are shooting
for high adoption rates.
However, I took a look at the OpenID specs at openid.net and found that
in sec. 15.4 of the 2.0 spec and sec. 5 of the 1.1 spec, https is
explicity allowed as a valid OpenID. So those of us who want end-to-end
SSL should be able to do so as long as the RP is behaving themselves.
Cameron.
Eddy Nigg (StartCom Ltd.) wrote:
> What do you mean by "vhosts"? Something like user.domain.com? In which
> case a wild card certificate would do the trick...but also
> domain.com/user is a valid approach for openid.
>
> Cameron King wrote:
>> I'm coming into this game late, but with a heavy interest and high
>> hopes - so please correct me if I say something that's too far off in
>> left field.
>>
>> My only real concern with having https be the default protocol for
>> OpenIDs is that vhosted sites who want to delegate become more
>> complicated - probably requiring a plan upgrade just for that SSL and
>> dedicated IP. We can't easily "autodetect" either without causing
>> spoofing issues on vhosts.
>>
>> If all RP's accept https addresses when fully specified though, you
>> might be able to get that end-to-end encryption for yourself without
>> causing problems for vhosts.
>>
>>
>> Eddy Nigg (StartCom Ltd.) wrote:
>>> Well, I suggested that more than a year ago just to get booed down...it
>>> really should be part of the policy
>>>
>>> Sean Reilly wrote:
>>>>
>>>> I think the point is that OpenIDs should start with https: so that
>>>> there is no http->https redirection needed. If any step of the
>>>> process goes through a normal http exchange/redirect then there is a
>>>> weak link in the chain where a bad guy could take over the
>>>> authentication.
--
Cameron King
More information about the general
mailing list