[OpenID] Reconsidering http://openid different from https://openid
Joseph Holsten
joseph at josephholsten.com
Wed Sep 19 20:05:49 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 19, 2007, at 12:58 PM, Johnny Bufu wrote:
>
> On 19-Sep-07, at 7:07 AM, George Fletcher wrote:
>
>> But isn't that a choice of the RP? The RP could allow the user to
>> select an option that says that only https identifiers are
>> allowed. That would protect the user from the attack of someone
>> using an http identifier. This could be the default option and the
>> user could turn it off if they want.
>
> OpenID being user-centric, and the user being the "owner" of the
> identifier, I'd say it should be the user's choice.
This, and not adding complexity to to OpenID spec cause me to support
the IDs as seperate.
As an implementor, I would not think OpenID would normalize, or
otherwise merge, two unique identifiers beyond the standard
normalization for URI/XRI.
The benefits of using a URI/XRI as an identifier disappear when we
add extra normalization to these identifiers. Let's either use those
identifiers or bite the bullet and start calling me openid://
josephholsten.com
http:// Joseph Holsten .com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFG8YEdxYqeHL30HVYRAhCuAJ4qCev3rQmtGaUbb6GT2taaAc5CKQCff1YT
tPvuXtAoxkaVoYu6DiNCyWc=
=lUPe
-----END PGP SIGNATURE-----
More information about the general
mailing list