HTTPS status
Martin Atkins
mart at degeneration.co.uk
Thu Mar 1 00:13:34 UTC 2007
Alaric Dailey wrote:
> Eddy Nigg and I brought up the issue of requiring SSL a while back, since
> then I have been swamped, it looked like there was some more talk about it
> since then.
>
> I know that there are several other people, that are concerned about this
> too, and it has even been blogged about (
> http://www.tbray.org/ongoing/When/200x/2007/02/24/OpenID )
>
> Can someone please tell me the status on this? Hopefully its being required!
>
As far as I'm aware, the current status is:
* All OpenID identifiers SHOULD use a secure channel.
* All OpenID servers SHOULD use a secure channel.
* OpenID relying parties MUST support SSL access to HTTP URLs.
* OpenID relying parties MAY refuse to interface with identifiers and
servers that do not use a secure channel.
* All other connections are out of scope of OpenID Authentication.
I may be wrong on these, as I'm listing them from memory.
In practice, I expect all big OpenID providers will support SSL because
users will demand it. The sites currently providing OpenID identifiers
as value-add features alongside an existing service (LiveJournal, etc.)
probably won't get used much once there are more "proper" providers.
People hosting their own identifiers and/or OPs probably won't use SSL,
but then they won't be able to use their identifiers at any site which
requires SSL-based OpenID Authentication, and they'll be in the minority
anyway.
More information about the specs
mailing list