[OpenID] Selectively Redirecting OpenID Traffic To HTTPS

Peter Williams pwilliams at rapattoni.com
Sun Jan 13 04:29:42 UTC 2008 

There would seem to be two, obvious architected approaches to the underlying assurance issues for multiple OPs operating in a virtual https context (wildcard SSL certs, vs load balanced clusters relying on SSL session de/multiplexing):-
 
1. A MISSI-based B3-grade general-purpose server system, in which the crypto of each openid OP is keyed/controlled by a distinct policy authority asociated with one PKI (controlling via certs how reliance is performed in that partitioned distibuted community), with the B3 principles on the virutal host ensuring that protection domains and security domain design principles properly seperate the OPs from each other when handling messages
 
2. A OpenId Server supportiing virtual OPs addresses the requirements of http://www.niap-ccevs.org/pp/draft_pps/pp_draft_skpp_hr_v0.621.pdf - where crypto is just a bit of signing/verification/keyexchange rather than a control system providing for seperation. The assurance comes from the design of the kernel, upon which one must ultimate rely.
 
Depending which side of the assurance wars you fall into (NSA crypto-based assurance, or DARPA/USNavyHA trusted OS assurance), you can choose your own poison.
 
 

________________________________

From: general-bounces at openid.net on behalf of Cameron King
Sent: Sat 1/12/2008 4:33 PM
To: Eddy Nigg (StartCom Ltd.)
Cc: general at openid.net
Subject: Re: [OpenID] Selectively Redirecting OpenID Traffic To HTTPS




By vhosts I mean name-based virtual hosting.  Most hosting providers do
not give each user their own IP address and certificate.  Often the
added cost of a SSL-enabled hosting plan (expecially a wildcard
certificate) can be substantial compared to the otherwise low cost of
hosting.  We wouldn't want to make SSL a requirement if we are shooting
for high adoption rates.

However, I took a look at the OpenID specs at openid.net and found that
in sec. 15.4 of the 2.0 spec and sec. 5 of the 1.1 spec, https is
explicity allowed as a valid OpenID.  So those of us who want end-to-end
SSL should be able to do so as long as the RP is behaving themselves.

Cameron.

Eddy Nigg (StartCom Ltd.) wrote:
> What do you mean by "vhosts"? Something like user.domain.com? In which
> case a wild card certificate would do the trick...but also
> domain.com/user is a valid approach for openid.
>
> Cameron King wrote:
>> I'm coming into this game late, but with a heavy interest and high
>> hopes - so please correct me if I say something that's too far off in
>> left field.
>>
>> My only real concern with having https be the default protocol for
>> OpenIDs is that vhosted sites who want to delegate become more
>> complicated - probably requiring a plan upgrade just for that SSL and
>> dedicated IP.  We can't easily "autodetect" either without causing
>> spoofing issues on vhosts.
>>
>> If all RP's accept https addresses when fully specified though, you
>> might be able to get that end-to-end encryption for yourself without
>> causing problems for vhosts.
>>
>>
>> Eddy Nigg (StartCom Ltd.) wrote:
>>> Well, I suggested that more than a year ago just to get booed down...it
>>> really should be part of the policy
>>>
>>> Sean Reilly wrote:
>>>>
>>>> I think the point is that OpenIDs should start with https: so that
>>>> there is no http->https redirection needed.  If any step of the
>>>> process goes through a normal http exchange/redirect then there is a
>>>> weak link in the chain where a bad guy could take over the
>>>> authentication.


--
Cameron King
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list