[OpenID] Reconsidering http://openid different from https://openid

John Panzer jpanzer at acm.org
Fri Sep 14 23:00:22 UTC 2007 

Johannes Ernst wrote:
> I'm one of the guys who actually maintains an ACL (Access Control 
> List) based on OpenID identities. The process works like this:
>  - Customer: hey, I'd like access to your website
>  - Me: sure, send me your OpenID
>  - Customer: foo.bar.com
>  - Me: adding http://foo.bar.com/ to the ACL
>  - Customer: hey, I tried but it doesn't work
>  - Me (diagnosing): that's because you entered 'https://foo.bar.com/' 
> and not 'http://foo.bar.com/".
>
> This happens in a surprisingly large number of cases.
>
> No user seems to put any significance into the http vs. https as part 
> of their identifier; even the people who do have the technical 
> understanding to distinguish the two tend to fail understanding that 
> within this community, we treat them as different identities.
I think that treating these as different identities would be a fairly 
major potential impersonation security problem.
>
> I'd like to revisit this issue, as actual user behavior as I'm seeing 
> it tends to conflict with the assumptions we made when defining these 
> are two different identities. Specifically, I'd like the spec to say:
>
> "Identifiers distinguished only by the 'http' vs. 'https' in the 
> protocol part of the URL (e.g. 'https://foo.bar.com/' vs 
> 'http://foo.bar.com/") refer to the same identity. Conforming 
> implementations must ensure that attackers cannot use an identifier 
> distinguished only by the protocol to impersonate a victim."
>
>
>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
>  http://netmesh.info/jernst
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070914/902fe993/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070914/902fe993/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070914/902fe993/attachment-0005.gif>

More information about the general mailing list