[OpenID] Using HTTPS Openid Providers

Martin Atkins mart at degeneration.co.uk
Fri Jun 15 19:23:28 UTC 2007 

Josh Hoyt wrote:
> On 6/15/07, Martin Atkins <mart at degeneration.co.uk> wrote:
>> All RPs must be able to authenticate against all conformant OPs for
>> reasons of user experience.
> 
> I disagree with this reasoning. Ideally, every priovider would work
> with every relying party, but there will be plenty of cases where a
> provider doesn't work with a relying party for reasons of policy.
> There will be times when a relying party rejects authentication
> because, for instance, it doesn't trust the provider. To a user, this
> is equivalent (my identifier doesn't work here).

At least in this case the RP can say,

"Sorry. We don't accept logins from insecureidp.com because they are 
known to have security problems."

A concious policy decision (with a suitable explanation) is one thing, 
but it just not working (for example, discovery just failing with a 
generic error message) makes it look like OpenID is broken rather than 
the blame falling on either the RP that instituted the policy or the OP 
for having whatever limitation caused them to be verboten.

> There will always be trade-offs. It's important to consider
> consistency of user experience, but I think that requiring relying
> parties to support SSL providers and identifiers will just result in
> the same relying parties being out-of-spec.
> 
> I think that in this case, SHOULD is adequate. From RFC2119:
> 
> 3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
>    may exist valid reasons in particular circumstances to ignore a
>    particular item, but the full implications must be understood and
>    carefully weighed before choosing a different course.
> 
> "My hosting environment doesn't have SSL support in my language
> runtime" is a valid reason not to support SSL, in my opinion.
> 

Perhaps as a compromise the full situation could be clarified by 
including an extra sentence that explains why it sucks for an RP *not* 
to support SSL. If they still want to go ahead and leave it out then 
it's their call, but at least they can't say they weren't warned.

More information about the general mailing list