[OpenID] Trust + Security @ OpenID

Pat Patterson Andrew.Patterson at Sun.COM
Thu Jul 19 17:33:11 UTC 2007 

I would think that jumping straight to (3) would be much simpler to 
implement than including step (2) - no need to guard against redirection 
- and no practical difference, as far as I can see.

Cheers,

Pat

John Panzer wrote:
> Dmitry Shechtman wrote:
>   
>> Hi list,
>>
>>  
>>
>> I just had a really fertile talk with Eddy about “IdP reputation”, 
>> during which I came up with a couple of ideas which I found sound enough 
>> to be shared with the community:
>>
>>  
>>
>>    1. If an RP is after strong IdP security, it should only trust IdPs
>>       that have SSL (so it would resolve all identifiers to https://)
>>     
>
> Agreed.
>
> But I have a dumb question before even getting past step 1 (sorry).  I 
> think this is the right algorithm to use to tell if an OP supports SSL, 
> and if so, to use it:
>
> (1) If a user gives a protocol-less identifier, say foo.example.org, 
> assume it's http://foo.example.org.
> (2) Given http://foo.example.org, attempt an HTTP/1.1 connection and see 
> if you get upgraded to TLS.
> (3) If no TLS, blindly remap to https://foo.example.org and attempt an 
> SSL connection.
> (4) If both (2) and (3) fail, don't trust.
>
> In particular, if you see a 302 redirect on step (2) to an https:// URL, 
> ignore it (susceptible to man-in-the-middle attack).
>
> And the above applies both to an OpenID URL itself and any URLs that 
> resource delegates to via <link>.
>
> Does this sound correct?  I don't like the extra connection attempts and 
> if someone says that nobody upgrades to TLS over http in the real world 
> I'd be fine skipping it, or inverting (2) and (3) perhaps, since the OPs 
> I know would be fine jumping straight to (3).
>
> -John
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   
-- 
Pat Patterson - pat.patterson at sun.com
Federation Architect,
Sun Microsystems, Inc.
http://blogs.sun.com/superpat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070719/a6ec9013/attachment-0002.htm>

More information about the general mailing list