[OpenID] Reconsidering http://openid different from https://openid
Dick Hardt
dick at sxip.com
Sun Sep 16 06:56:20 UTC 2007
On 15-Sep-07, at 8:25 PM, Johannes Ernst wrote:
>
> On Sep 14, 2007, at 16:00, John Panzer wrote:
>
>> Johannes Ernst wrote:
>>> I'm one of the guys who actually maintains an ACL (Access Control
>>> List) based on OpenID identities. The process works like this:
>>> - Customer: hey, I'd like access to your website
>>> - Me: sure, send me your OpenID
>>> - Customer: foo.bar.com
>>> - Me: adding http://foo.bar.com/ to the ACL
>>> - Customer: hey, I tried but it doesn't work
>>> - Me (diagnosing): that's because you entered 'https://
>>> foo.bar.com/' and not 'http://foo.bar.com/".
>>>
>>> This happens in a surprisingly large number of cases.
>>>
>>> No user seems to put any significance into the http vs. https as
>>> part of their identifier; even the people who do have the
>>> technical understanding to distinguish the two tend to fail
>>> understanding that within this community, we treat them as
>>> different identities.
>> I think that treating these as different identities would be a
>> fairly major potential impersonation security problem.
>
> Exactly my point. This should be part of the spec.
>
> Editors, anybody?
I don't have a good answer, all the ones that come to mind are ugly
and have some issue.
-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070915/e7654659/attachment-0002.htm>
More information about the general
mailing list