[OpenID] Reconsidering http://openid different from https://openid
Paul C. Bryan
email at pbryan.net
Wed Sep 19 22:17:22 UTC 2007
Hi all:
For what it's worth, I think that whatever the solution, an ambiguous
identifier (e.g. example.myopenid.com, sans URL scheme and delimiter)
must resolve to a deterministic, unambiguous identifier, which does not
rely on the presence of the resource at the time it is being resolved.
The idea of an RP trying one, and if that one fails, trying another, and
so on is wrought with danger. Now I can coerce an ambiguous identifier
to resolve to different than intended if I can: a) take control of a
resource sooner in the resolution chain, or b) DOS a resource in the
chain to cause a later one I control to be evaluated.
I certainly appreciate the attempts to resolve identity theft issue, but
OpenID is in legacy mode. I have to agree with Dick so far. I don't see
any ways out of this problem that don't incur ugly consequences (e.g.
breakage of existing usage practices by user, RP and/or OP).
Paul
More information about the general
mailing list