[OpenID] Selectively Redirecting OpenID Traffic To HTTPS

Cameron King cameron at uniquekings.com
Sun Jan 13 05:05:25 UTC 2008


Well, you've just given me a few more things to look into as I'm not 
already familiar with the topics you've just brought up.  +MISSI +B3 
isn't helping me much in Google though.  Could you email me some links I 
can use to become more familiar on the topic?

While I'm not sure that either of these are in the realm of possibility 
for your average net user trying to setup his vhosted blog to delegate 
an OpenID, these options might be very appealing to a larger company who 
wants to SSL enable all their OpenIDs.

Peter Williams wrote:
> There would seem to be two, obvious architected approaches to the underlying assurance issues for multiple OPs operating in a virtual https context (wildcard SSL certs, vs load balanced clusters relying on SSL session de/multiplexing):-
>
> 1. A MISSI-based B3-grade general-purpose server system, in which the crypto of each openid OP is keyed/controlled by a distinct policy authority asociated with one PKI (controlling via certs how reliance is performed in that partitioned distibuted community), with the B3 principles on the virutal host ensuring that protection domains and security domain design principles properly seperate the OPs from each other when handling messages
>
> 2. A OpenId Server supportiing virtual OPs addresses the requirements of http://www.niap-ccevs.org/pp/draft_pps/pp_draft_skpp_hr_v0.621.pdf - where crypto is just a bit of signing/verification/keyexchange rather than a control system providing for seperation. The assurance comes from the design of the kernel, upon which one must ultimate rely.
>
> Depending which side of the assurance wars you fall into (NSA crypto-based assurance, or DARPA/USNavyHA trusted OS assurance), you can choose your own poison.
>
> ________________________________
>
> From: general-bounces at openid.net on behalf of Cameron King
>
> By vhosts I mean name-based virtual hosting.  Most hosting providers do
> not give each user their own IP address and certificate.  Often the
> added cost of a SSL-enabled hosting plan (expecially a wildcard
> certificate) can be substantial compared to the otherwise low cost of
> hosting.  We wouldn't want to make SSL a requirement if we are shooting
> for high adoption rates.
> ...
>
> Eddy Nigg (StartCom Ltd.) wrote:
>> What do you mean by "vhosts"? Something like user.domain.com? In which
>> case a wild card certificate would do the trick...but also
>> domain.com/user is a valid approach for openid.
>>
>> Cameron King wrote:
>>> ...
>>> My only real concern with having https be the default protocol for
>>> OpenIDs is that vhosted sites who want to delegate become more
>>> complicated - probably requiring a plan upgrade just for that SSL and
>>> dedicated IP.  We can't easily "autodetect" either without causing
>>> spoofing issues on vhosts.
>>> ...
>>>
>>> Eddy Nigg (StartCom Ltd.) wrote:
>>>> Well, I suggested that more than a year ago just to get booed down...it
>>>> really should be part of the policy
>>>>
>>>> Sean Reilly wrote:
>>>>> I think the point is that OpenIDs should start with https: so that
>>>>> there is no http->https redirection needed.  If any step of the
>>>>> process goes through a normal http exchange/redirect then there is a
>>>>> weak link in the chain where a bad guy could take over the
>>>>> authentication.

-- 
Cameron King



More information about the general mailing list