[OpenID] Using HTTPS Openid Providers
Josh Hoyt
josh at janrain.com
Fri Jun 15 17:55:06 UTC 2007
On 6/15/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> The Authentication 2.0 specification currently makes no comment at all
> on whether SSL should/must/can be supported by any party, because it is
> as far as possible trying to remain scheme- and transport-neutral.
> However, for interoperability we can assume that basically RPs MUST
> support SSL in their HTTP clients. They might not actually verify certs
> and so forth, but they MUST at minimum be able to establish an SSL
> connection and send data across it.
I'm in favor of stating that relying parties SHOULD implement SSL for
their endpoints, and SHOULD support HTTPS identifiers and provider
endpoints.
In addition to the problems with just getting support for SSL compiled
in to the HTTP library, there are also policy decisions that need to
be made about which certificate authorities should be supported. This
makes SSL support a much trickier issue, especially if you're trying
to test compliance. For instance, would a relying party that allowed
arbitrary self-signed SSL certificates be in compliance?
Josh
More information about the general
mailing list