[OpenID] Using HTTPS Openid Providers
Peter Williams
pwilliams at rapattoni.com
Fri Jun 15 15:48:33 UTC 2007
I know we will be explicitly rejecting non-SSL identity URLs on our OP. I think you have to try hard to get a HTTP library that *doesn't* support SSL out of the box now, and if it doesn't it is likely just because the local admin forgot to install the 'foo-ssl' module or similar.
------------
To which I add:
Foo-SSL providers must not be taken as a complete implementation. They have callbacks, that an RP implementation must CORRECTLY implement to get the properties of an "HTTPS" URL resolver. Some foo-SSL providers use auto-learning of trust points introduced by attackers using HTTPS MITM (not SSL MITM, note); others try to create a window to get user confirmation, but fail when the account has no privilege to access a desktop (because it’s a deamon account) continuing as if the answer was yes.
Summary. An RP has to treat an HTTPS user-centric-id differently to one with HTTP.
I think this HTTPS angle was a major selling point of the XRI.ORG proxy - that they had thought through this, on behalf of RPs receiving HTTPS HXRIs.
More information about the general
mailing list