[OpenID] Using HTTPS Openid Providers

[Immad Akhund]

thanks for the quick advice.

Given that diffie hellman is conducted with the openid provider is there
actually any additional security benefit with using https to communicate
with the openid provider? Does it make it significantly harder to do man in
the middle attacks (if thats its purpose)?

I hadn't considered that the identity could be under https but the server
not and vice-versa. Where would you see as the biggest security benefit to
use https?

Sxipper also uses SSL, both for the OP-endpoint and for identifiers.
> For the OP-endpoint we've also defined a lower priority HTTP service
> endpoint.


Do consumers actually go to the lower priority http service endpoint
automatically if they fail in using the https service? Is this specified in
the protocol?

Thanks again,
Immad

On 13/06/07, Johnny Bufu <johnny at sxip.com> wrote:
>
>
> On 13-Jun-07, at 2:03 PM, Josh Hoyt wrote:
>
> >> Are there examples of https openid provider out their? (this might
> >> be a
> >> silly question)
> >
> > MyOpenID.com supports SSL, but works both ways. For example, both
> > https://josh.myopenid.com/ and http://josh.myopenid.com/ work.
>
> Sxipper also uses SSL, both for the OP-endpoint and for identifiers.
> For the OP-endpoint we've also defined a lower priority HTTP service
> endpoint.
>
> Identifiers are HTTPS-only though; providing both HTTP and HTTPS
> identifiers to a user may confuse them, because they will end up
> using different identities if they log into an RP by presenting
> "user.op.com" vs "https://user.op.com".
>
>
> Johnny
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
Cell: +1 617 449 8654
Skype: i.akhund
Blog: http://immadsnewworld.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070614/4a4b087f/attachment-0002.htm>