[OpenID] OpenID and HTTPS
Jonathan Daugherty
cygnus at janrain.com
Fri Feb 9 23:04:44 UTC 2007
# I was hoping for something better than a guess. I was hoping to
# attract the attention of someone who knows.
#
# However, assuming that the guess is correct, then the documentation
# needs to be updated, and I don't know what it should say. Should
# the documentation say (1) if the http://user.domain... form of
# OpenID URL is supported by an OP, then a wild card certificate MUST
# be obtained, or (2) if that form is allowed, then "https" MUST NOT
# be used when supplying an OpenID URL. Either one seems to have
# security or cost ramifications that should be mentioned.
I don't know what documentation you're referring to, but presumably
you mean the spec; in that case, it's the RP implementation's
responsibility to fail to validate the supplied certificate in the
case you mentioned.
--
Jonathan Daugherty
JanRain, Inc.
irc.freenode.net: cygnus in #openid
cygnus.myopenid.com
More information about the general
mailing list