[OpenID] Using HTTPS Openid Providers
Martin Atkins
mart at degeneration.co.uk
Fri Jun 15 18:11:44 UTC 2007
Josh Hoyt wrote:
> On 6/15/07, Martin Atkins <mart at degeneration.co.uk> wrote:
>> The Authentication 2.0 specification currently makes no comment at all
>> on whether SSL should/must/can be supported by any party, because it is
>> as far as possible trying to remain scheme- and transport-neutral.
>> However, for interoperability we can assume that basically RPs MUST
>> support SSL in their HTTP clients. They might not actually verify certs
>> and so forth, but they MUST at minimum be able to establish an SSL
>> connection and send data across it.
>
> I'm in favor of stating that relying parties SHOULD implement SSL for
> their endpoints, and SHOULD support HTTPS identifiers and provider
> endpoints.
If you say that OPs may use SSL, this implies that RPs MUST support SSL.
All RPs must be able to authenticate against all conformant OPs for
reasons of user experience.
> In addition to the problems with just getting support for SSL compiled
> in to the HTTP library, there are also policy decisions that need to
> be made about which certificate authorities should be supported. This
> makes SSL support a much trickier issue, especially if you're trying
> to test compliance. For instance, would a relying party that allowed
> arbitrary self-signed SSL certificates be in compliance?
For RPs that don't really care about security but are just supporting
SSL because they want to be able to support SSL-only OPs, they can
presumably just ignore the signature validation check altogether. SSL
provides both authentication (of a sort) and encryption, but an RP that
would otherwise not have supported SSL can just make use of the
encryption part.
Of course, RPs SHOULD check certs.
More information about the general
mailing list