security

[Martin Atkins]

Josh Hoyt wrote:
> On 10/26/06, Martin Atkins <mart at degeneration.co.uk> wrote:
>> Indeed, not long after I posted this I was reviewing the spec for other
>> reasons and found this:
>>
> [spec quote about normalization snipped]
>> Note in particular the end of the first paragraph, which states simply
>> that one should prefix http://. HTTPS URLs must be spelled out as
>> https://, which is a bit of a shame (we're optimising for the insecure
>> case as far as users are concerned) but I can't think of any way to
>> securely support the short form of both http: and https: URLs.
> 
> Does this help?
> 
> 12.4.1.  HTTP and HTTPS URL Identifiers
> 
> Relying Parties MUST differentiate between URL Identifiers that have
> different schemes. When user input is processed into a URL, it is
> processed into a HTTP URL. If the same End User controls the same URL,
> differing only by scheme, and it is desired that the Identifier be the
> HTTPS URL, it is RECOMMENDED that a redirect be issued from the HTTP
> URL to the HTTPS URL. Because the HTTP and HTTPS URLs are not
> equivalent and the Identifier that is used is the URL after following
> redirects, there is no reduction in security when using this scheme.
> If an attacker could gain control of the HTTP URL, it would have no
> effect on the HTTPS URL, since the HTTP URL is not ever used as an
> Identifier.
> 
> (http://openid.net/specs/openid-authentication-2_0-10.html#anchor39)
> 

Ahh yes. I missed that on my quick scanning.

Perhaps it'd be nice if the section 8.2 included a short sentence 
referring to 12.4.1, since I imagine this'll be a common question if 
SSL-powered identifiers become commonplace.

I'm not sure how to word it, though, since it's really a friendly 
suggestion rather than a normative spec requirement. "To find out how to 
use this short hand with HTTPS identifiers, see 12.4.1" seems too 
informal and un-spec-like compared to the surrounding language.