security
Alaric Dailey
alaricdailey at hotmail.com
Fri Oct 27 17:07:34 UTC 2006
In reality, all IdPs should force SSL, therefore they can't be treated as
separate entities.
BTW - shouldn't this be on the specs@ or security@ list?
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Pete Rowley
Sent: Friday, October 27, 2006 12:01 PM
To: Josh Hoyt
Cc: Martin Atkins; general at openid.net
Subject: Re: security
Josh Hoyt wrote:
> On 10/26/06, Martin Atkins <mart at degeneration.co.uk> wrote:
>
>> Indeed, not long after I posted this I was reviewing the spec for
>> other reasons and found this:
>>
>>
> [spec quote about normalization snipped]
>
>> Note in particular the end of the first paragraph, which states
>> simply that one should prefix http://. HTTPS URLs must be spelled out
>> as https://, which is a bit of a shame (we're optimising for the
>> insecure case as far as users are concerned) but I can't think of any
>> way to securely support the short form of both http: and https: URLs.
>>
>
> Does this help?
>
>
> 12.4.1. HTTP and HTTPS URL Identifiers
>
> Relying Parties MUST differentiate between URL Identifiers that have
> different schemes.
This is what allows the attack to be viable. This should be MUST NOT for all
parties, or in other words "URL identifiers differing in scheme MUST be
treated as equivalent for the purposes of identification."
What were the reasons behind treating http and https identifiers as unique
from each other?
--
Pete
More information about the general
mailing list