security

Recordon, David drecordon at verisign.com
Sat Nov 4 21:23:25 UTC 2006 

What about just "See 12.4.1 for more information about HTTP and HTTPS
URL Identifiers."?

--David 

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Martin Atkins
Sent: Friday, October 27, 2006 12:51 PM
To: general at openid.net
Subject: Re: security

Josh Hoyt wrote:
> On 10/26/06, Martin Atkins <mart at degeneration.co.uk> wrote:
>> Indeed, not long after I posted this I was reviewing the spec for 
>> other reasons and found this:
>>
> [spec quote about normalization snipped]
>> Note in particular the end of the first paragraph, which states 
>> simply that one should prefix http://. HTTPS URLs must be spelled out

>> as https://, which is a bit of a shame (we're optimising for the 
>> insecure case as far as users are concerned) but I can't think of any

>> way to securely support the short form of both http: and https: URLs.
> 
> Does this help?
> 
> 12.4.1.  HTTP and HTTPS URL Identifiers
> 
> Relying Parties MUST differentiate between URL Identifiers that have 
> different schemes. When user input is processed into a URL, it is 
> processed into a HTTP URL. If the same End User controls the same URL,

> differing only by scheme, and it is desired that the Identifier be the

> HTTPS URL, it is RECOMMENDED that a redirect be issued from the HTTP 
> URL to the HTTPS URL. Because the HTTP and HTTPS URLs are not 
> equivalent and the Identifier that is used is the URL after following 
> redirects, there is no reduction in security when using this scheme.
> If an attacker could gain control of the HTTP URL, it would have no 
> effect on the HTTPS URL, since the HTTP URL is not ever used as an 
> Identifier.
> 
> (http://openid.net/specs/openid-authentication-2_0-10.html#anchor39)
> 

Ahh yes. I missed that on my quick scanning.

Perhaps it'd be nice if the section 8.2 included a short sentence
referring to 12.4.1, since I imagine this'll be a common question if
SSL-powered identifiers become commonplace.

I'm not sure how to word it, though, since it's really a friendly
suggestion rather than a normative spec requirement. "To find out how to
use this short hand with HTTPS identifiers, see 12.4.1" seems too
informal and un-spec-like compared to the surrounding language.

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list