security
Pete Rowley
prowley at redhat.com
Fri Oct 27 17:00:49 UTC 2006
Josh Hoyt wrote:
> On 10/26/06, Martin Atkins <mart at degeneration.co.uk> wrote:
>
>> Indeed, not long after I posted this I was reviewing the spec for other
>> reasons and found this:
>>
>>
> [spec quote about normalization snipped]
>
>> Note in particular the end of the first paragraph, which states simply
>> that one should prefix http://. HTTPS URLs must be spelled out as
>> https://, which is a bit of a shame (we're optimising for the insecure
>> case as far as users are concerned) but I can't think of any way to
>> securely support the short form of both http: and https: URLs.
>>
>
> Does this help?
>
>
> 12.4.1. HTTP and HTTPS URL Identifiers
>
> Relying Parties MUST differentiate between URL Identifiers that have
> different schemes.
This is what allows the attack to be viable. This should be MUST NOT for
all parties, or in other words "URL identifiers differing in scheme MUST
be treated as equivalent for the purposes of identification."
What were the reasons behind treating http and https identifiers as
unique from each other?
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061027/3d673320/attachment-0002.bin>
More information about the general
mailing list