[OpenID] Reconsidering http://openid different from https://openid
Johnny Bufu
johnny at sxip.com
Wed Sep 19 06:19:29 UTC 2007
On 18-Sep-07, at 7:56 PM, Johannes Ernst wrote:
> Perhaps I'm not understanding what you are saying, but I don't think
> that "making HTTP and HTTPS identifiers equivalent eliminates any
> security benefit ... from .. TLS".
>
> A Relying Party could still choose to only accept HTTPS identifiers.
> (thereby mandating the TLS security benefits).
The user will not be able to choose to have their identity not
vulnerable to DNS attacks. Compromising the HTTP identifier would
allow the attacker to impersonate and have access to the RPs where
the user wanted only the HTTPS identifier to have access.
Johnny
More information about the general
mailing list