[OpenID] Trust + Security @ OpenID
Dmitry Shechtman
damnian at gmail.com
Fri Jul 20 17:27:07 UTC 2007
> Sorry! Yes. TLS in this context means negotiating to do SSL over port
> 80 via HTTP 1.1 mechanisms. Once the client and server upgrade, it's
> effectively the same security as https. Specifically the client is sent
> a server certificate which proves that they are (say) foo.blogspot.com.
Thanks for clarifying that.
So my question stands: what should the RP's decision in case a
non-upgradeable http:// variant of the identifier is detected?
I am fully aware of the DNS spoofing risks, but I am also assuming no OPs
(in the wild, that is) currently satisfy this constraint (i.e. either SSL
only or TLS-upgradable identifiers). If you have i-names in mind, there is a
much easier way of blocking non-compliant OPs...
Regards,
Dmitry
=damnian
More information about the general
mailing list