[OpenID] Reconsidering http://openid different from https://openid

[Eric Norman]

On Sep 19, 2007, at 2:40 PM, Johannes Ernst wrote:

> I postulate that:
>
>  - 99% of internet users have only a very vague idea about the 
> difference between http and https, in particular as it relates to 
> OpenID. And in particular as so many RP's don't print the "http[s]" 
> prefix when they print a user name!

My speculation is that the best you can do regarding "very vague idea" 
is that the "s"
version means secure and the other means insecure.  Nothing beyond 
that.  See Peter
Williams' spouse comment.  Whether they pay attention or not is a 
another matter that
Dick Hardt touched on.

Now.  Can someone please present a use case where a user is given a 
choice between
secure and insecure and they would choose insecure?  PLEASE?

>  - almost 100% of internet users won't understand that an RP might 
> choose to make http://foo and https://foo a different account. (I have 
> some evidence that at least 90% of a representative sample of leading 
> identity technologists don't understand it)

I think we have evidence right in this thread that there are identity 
technologists
that don't understand much beyond how the code works.

> I would also guess that a (human-level) impersonation attack by 
> http://foo against https://foo will almost always been successful - 
> e.g. because so many RPs don't print the protocol prefix.

I would guess that it won't because of lack of opportunity.  Nobody in 
their right
mind would deploy a system where URLs that only differ by http vs. 
https would
be identifiers for different parties.

> Would anybody on this thread disagree with these assumptions?

I sure don't think I did.  I just tried to amplify them, ask for 
something that
would be really useful (a use case) and slip in a cheap shot.

Who has the use case?

Eric Norman
http://ejnorman.blogspot.com