[OpenID] Reconsidering http://openid different from https://openid

Johannes Ernst jernst+openid.net at netmesh.us
Sun Sep 16 03:25:38 UTC 2007 

On Sep 14, 2007, at 16:00, John Panzer wrote:

> Johannes Ernst wrote:
>> I'm one of the guys who actually maintains an ACL (Access Control  
>> List) based on OpenID identities. The process works like this:
>>  - Customer: hey, I'd like access to your website
>>  - Me: sure, send me your OpenID
>>  - Customer: foo.bar.com
>>  - Me: adding http://foo.bar.com/ to the ACL
>>  - Customer: hey, I tried but it doesn't work
>>  - Me (diagnosing): that's because you entered 'https:// 
>> foo.bar.com/' and not 'http://foo.bar.com/".
>>
>> This happens in a surprisingly large number of cases.
>>
>> No user seems to put any significance into the http vs. https as  
>> part of their identifier; even the people who do have the  
>> technical understanding to distinguish the two tend to fail  
>> understanding that within this community, we treat them as  
>> different identities.
> I think that treating these as different identities would be a  
> fairly major potential impersonation security problem.

Exactly my point. This should be part of the spec.

Editors, anybody?


>>
>> I'd like to revisit this issue, as actual user behavior as I'm  
>> seeing it tends to conflict with the assumptions we made when  
>> defining these are two different identities. Specifically, I'd  
>> like the spec to say:
>>
>> "Identifiers distinguished only by the 'http' vs. 'https' in the  
>> protocol part of the URL (e.g. 'https://foo.bar.com/' vs 'http:// 
>> foo.bar.com/") refer to the same identity. Conforming  
>> implementations must ensure that attackers cannot use an  
>> identifier distinguished only by the protocol to impersonate a  
>> victim."
>>
>>
>>
>>
>>
>>
>> Johannes Ernst
>> NetMesh Inc.
>>
>>
>>
>>
>> <mime-attachment.gif>
>>
>>
>>
>> <mime-attachment.gif>
>>  http://netmesh.info/jernst
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
> <mime-attachment.gif>
> <mime-attachment.gif>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070915/15ec1a5e/attachment-0001.htm>

More information about the general mailing list