security

[Martin Atkins]

Dan Lyke wrote:
> 
> So what does it solve that the Identity URL is HTTPS? (There's  
> probably something, I don't know and am just working through the  
> implications)
> 

The only effect that an unsecured Identity URL has is the possibility 
for an attacker to "fool" an RP into loading a different Identity URL 
and thus successfully authenticate with that RP based on the fraudulent 
authority details.

Having it use HTTPS allows RPs to (presumably) check that they are 
talking to the site that *should* be at the given domain name, though 
obviously this relies on correct certificates and those certificates 
being revoked in the event that a domain expires, etc.

Regardless, it's my belief that the early adopters that will be setting 
up these vanity identifiers are going to be knowledgeable enough to 
evaluate for themselves the risk of having a non-secure identity URL, 
especially if we include a description of the implications in the spec 
or in a separate best practices document. Moving forward, as the 
technology matures, we can hope that mass-market IdPs will provide 
secured identity URLs, but we're not currently in that position.