[OpenID] Using HTTPS Openid Providers

[=drummond.reed]

>Peter Williams wrote:
>
>I know we will be explicitly rejecting non-SSL identity URLs on our OP. I
think you have to try hard to get a HTTP library that *doesn't* support SSL
out of the box now, and if it doesn't it is likely just because the local
admin forgot to install the 'foo-ssl' module or similar.
>
>------------
>
>To which I add: 
>
>Foo-SSL providers must not be taken as a complete implementation. They have
callbacks, that an RP implementation must CORRECTLY implement to get the
properties of an "HTTPS" URL resolver. Some foo-SSL providers use
auto-learning of trust points introduced by attackers using HTTPS MITM (not
SSL MITM, note); others try to create a window to get user confirmation, but
fail when the account has no privilege to access a desktop (because it's a
deamon account) continuing as if the answer was yes.
>
>Summary. An RP has to treat an HTTPS user-centric-id differently to one
with HTTP.
>
>I think this HTTPS angle was a major selling point of the XRI.ORG proxy -
that they had thought through this, on behalf of RPs receiving HTTPS HXRIs.

Peter, I assume you mean the XDI.org XRI proxy resolver (that operates at
xri.net). Yes, one of the advantages of XRI resolution architecture, because
it layers over IP/DNS-based URI architecture, is that you can secure an XRI
proxy, or any XRI registry (no matter how many identifiers it servers) with
a single SSL cert. That's why the OpenID Authentication 2.0 spec mandates
HTTPS for resolving all XRI =names/numbers and @names/numbers.

=Drummond (http://xri.net/=drummond.reed)