[OpenID] Using HTTPS Openid Providers

[Josh Hoyt]

On 6/13/07, Immad Akhund <i.akhund at gmail.com> wrote:
> I know the openid spec says that there isn't a problem with using https but
> if I was to make an openid provider that only worked over https is there
> likely to be any openid consumer that cannot handle that?

There are a lot of relying party deployments in the wild that do not
support SSL. This is usually because the site is using an HTTP library
without SSL support. When we made myopenid.com use the SSL endpoint by
default, we got a number of support requests about sites that did not
work. Ideally, everyone would support SSL, but the grass-roots nature
of OpenID adoption means that there will be sites that do not.

> I want it to be handled by pretty much anyone so if its likely to decrease
> the chances of it being handled I will stick to http.

It's your call. Pretty much anyone who has a large site that supports
OpenID will support SSL, so you need to decide whether having some
minority of cases that fail is acceptable. It might be good, because
it would put pressure on sites that do not support fetching SSL to
upgrade their runtime environments.

> Are there examples of https openid provider out their? (this might be a
> silly question)

MyOpenID.com supports SSL, but works both ways. For example, both
https://josh.myopenid.com/ and http://josh.myopenid.com/ work.

Good luck.

Josh