[OpenID] Reconsidering http://openid different from https://openid

Johnny Bufu johnny at sxip.com
Wed Sep 19 17:58:19 UTC 2007 

On 19-Sep-07, at 7:07 AM, George Fletcher wrote:

> But isn't that a choice of the RP?  The RP could allow the user to  
> select an option that says that only https identifiers are  
> allowed.  That would protect the user from the attack of someone  
> using an http identifier.  This could be the default option and the  
> user could turn it off if they want.

OpenID being user-centric, and the user being the "owner" of the  
identifier, I'd say it should be the user's choice.

I can see two issues with what you're proposing:
- how many users will have the knowledge to make the right choice  
when prompted by the RP?
- the user has no choice at those RPs who don't care about HTTP/HTTPS  
differences, and don't prompt the user for making the choice.

I agree the RPs should be allowed to decide authorization and  
policies, but my feeling is that the protocol should put the user in  
control over features that impact the security of the identifiers.


> I agree that if an https identifier exists, then an http identifier  
> with a different OP should not be allowed.

How is an RP able to tell that a HTTPS identifier exists, when the  
attacker presents the HTTP identifier for the first time to it, after  
having compromised the DNS such that the HTTPS identifier is no  
longer reachable?

> It seems like it should be possible to "upgrade" an http to and  
> https identifier (provided some criteria is met; e.g. the same OP  
> is used for both identifiers?, the same association handle is used  
> for both?).

Yes, upgrading would be great if it can be made to work nicely.

> However, if an https identifier exists (i.e. the user explicitly  
> used an https identifier in the past) then an http identifier  
> shouldn't be accepted.  If the user chose to use https at least  
> once in the past, why would the RP want to allow the user to now  
> use http for the same identifier?

If I stop paying for a dedicated IP address and a certificate, I  
won't be able to use http://my.blog.com/ as my (new) identifier at  
the RPs where I've used https://my.blog.com/ ?


Johnny

More information about the general mailing list