[OpenID] Reconsidering http://openid different from https://openid
Josh Hoyt
josh at janrain.com
Wed Sep 19 23:00:10 UTC 2007
On 9/19/07, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
> On Sep 19, 2007, at 15:12, Josh Hoyt wrote:
> > If I understand correctly, you are proposing to solve this problem by
> > defining identifiers differentiated only by scheme to be equivalent.
> > Is that correct?
>
> On reflection, just the following ones:
>
> http://foo/bar
> http://foo:80/bar
> http://foo:443/bar
> https://foo/bar
> https://foo:80/bar
> https://foo:443/bar
If you define those identifiers to be equivalent, then the exposure
for one party controlling the identifier with HTTP and another party
controlling the identifier with HTTPS is much worse than an
impersonation attack (it's complete compromise of the identifier).
Defining those to be equivalent does not solve this problem.
Josh
More information about the general
mailing list