[OpenID] Reconsidering http://openid different from https://openid
George Fletcher
gffletch at aol.com
Wed Sep 19 14:07:51 UTC 2007
But isn't that a choice of the RP? The RP could allow the user to
select an option that says that only https identifiers are allowed.
That would protect the user from the attack of someone using an http
identifier. This could be the default option and the user could turn it
off if they want.
I agree that if an https identifier exists, then an http identifier with
a different OP should not be allowed. It seems like it should be
possible to "upgrade" an http to and https identifier (provided some
criteria is met; e.g. the same OP is used for both identifiers?, the
same association handle is used for both?).
However, if an https identifier exists (i.e. the user explicitly used an
https identifier in the past) then an http identifier shouldn't be
accepted. If the user chose to use https at least once in the past, why
would the RP want to allow the user to now use http for the same identifier?
Thanks,
George
Johnny Bufu wrote:
> On 18-Sep-07, at 7:56 PM, Johannes Ernst wrote:
>
>
>> Perhaps I'm not understanding what you are saying, but I don't think
>> that "making HTTP and HTTPS identifiers equivalent eliminates any
>> security benefit ... from .. TLS".
>>
>> A Relying Party could still choose to only accept HTTPS identifiers.
>> (thereby mandating the TLS security benefits).
>>
>
> The user will not be able to choose to have their identity not
> vulnerable to DNS attacks. Compromising the HTTP identifier would
> allow the attacker to impersonate and have access to the RPs where
> the user wanted only the HTTPS identifier to have access.
>
>
> Johnny
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
--
Chief Architect AIM: gffletch
Identity Services Work: george.fletcher at corp.aol.com
AOL LLC Home: gffletch at aol.com
Mobile: +1-703-462-3494
Office: +1-703-265-2544 Blog: http://practicalid.blogspot.com
More information about the general
mailing list