[OpenID] Reconsidering http://openid different from https://openid

[Johannes Ernst]

On Sep 19, 2007, at 12:42, Josh Hoyt wrote:
> On 9/19/07, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
>> I would also guess that a (human-level) impersonation attack by
>> http://foo against https://foo will almost always been successful -
>> e.g. because so many RPs don't print the protocol prefix.
>
> How would such an impersonation attack take place? Wouldn't it involve
> the attacker controlling one or the other of the identifiers?

Yes. Let's say I'm your new specialist, and you are trying to give me  
access to your on-line medical records (i.e. you edit the ACL), but  
instead you are giving access to somebody else whose OpenID was just  
the same minus the 's'.

It appears to me that any solution to this must effectively guarantee  
that http://foo can never refer to somebody else than https://foo  
does, which is another way of phrasing the (almost same) requirement.




Johannes Ernst
NetMesh Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070919/521f8ea6/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070919/521f8ea6/attachment-0005.gif>
-------------- next part --------------
  http://netmesh.info/jernst