[OpenID] Using HTTPS Openid Providers
Josh Hoyt
josh at janrain.com
Fri Jun 15 19:00:04 UTC 2007
On 6/15/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> All RPs must be able to authenticate against all conformant OPs for
> reasons of user experience.
I disagree with this reasoning. Ideally, every priovider would work
with every relying party, but there will be plenty of cases where a
provider doesn't work with a relying party for reasons of policy.
There will be times when a relying party rejects authentication
because, for instance, it doesn't trust the provider. To a user, this
is equivalent (my identifier doesn't work here).
There will always be trade-offs. It's important to consider
consistency of user experience, but I think that requiring relying
parties to support SSL providers and identifiers will just result in
the same relying parties being out-of-spec.
I think that in this case, SHOULD is adequate. From RFC2119:
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
"My hosting environment doesn't have SSL support in my language
runtime" is a valid reason not to support SSL, in my opinion.
Josh
More information about the general
mailing list