IdP's Advertising Both http and https

Recordon, David drecordon at verisign.com
Tue Nov 7 20:34:40 UTC 2006 

Moving this to the list, I really should have started it there in the
first place.

--David

-----Original Message-----
From: Recordon, David 
Sent: Monday, November 06, 2006 2:06 PM
To: 'Dick Hardt'; Josh Hoyt
Subject: RE: IdP's Advertising Both http and https

Hey Dick,
But the security warnings will still exist:
 - RP redirects me to http on IdP
 - IdP redirects me to https on IdP for login page (warning)
 - I interact with IdP for "trust request" via https
 - I submit HTTPS form
 - IdP redirects me back to RP via http (warning) 

Am I missing something here?

The only way to remove all of the warnings is adding additional
redirects to itself in these steps to remove the warnings.

I guess I'm not sure what I think we should do, though don't think this
is a simple problem.

--David

-----Original Message-----
From: Dick Hardt [mailto:dick at sxip.com]
Sent: Saturday, November 04, 2006 6:49 PM
To: Recordon, David
Cc: Josh Hoyt
Subject: Re: IdP's Advertising Both http and https

Hi David

If the RP is only using HTTP, then then the request and response are in
the clear between the RP and user-agent, and using SSL between the
user-agent and OP has nominal benefit. In case it was not clear, the OP
SHOULD switch to HTTPS for all other transactions between the user-
agent and the OP, so user authentication is secure and any other
personal data transported while the user is deciding what to do is
secure.

I think many RPs will only be using HTTP, so this will be a usability
issue if they are seeing the browser warning.

... but perhaps I am not clear on what you were thinking you wanted to
do?

-- Dick

On 30-Oct-06, at 4:55 PM, Recordon, David wrote:

> So I was writing this one up for the notes and it just doesn't seem to

> be sitting well with me as I think about it more:
>
>  - An IdP can already advertise both http and https endpoints in their

> Yadis files.  A RP should use the same schema when redirecting the 
> user to the IdP as it uses for its endpoints, though if this is not 
> possible can decide to not continue the transaction.  This is desired 
> due to browsers showing a security warning when redirecting from https

> to http and vice-versa.
>
> So if the RP is HTTP, I think the security benefits of using SSL for 
> the request (if the IdP offers a https endpoint) outweigh the fact 
> that the user will be shown a warning on the response.  I guess I have

> a hard time making this recommendation when instead I personally would

> recommend an IdP not advertise a HTTP endpoint if it has a HTTPS one.
> I think the reality is that anyone doing anything but testing with 
> OpenID really should be using SSL, though certainly also don't believe

> that 100% of IdPs and RPs will do so.
>
> Thoughts?
>
> --David
>
>

More information about the specs mailing list