[OpenID] Reconsidering http://openid different from https://openid
Johannes Ernst
jernst+openid.net at netmesh.us
Thu Sep 20 03:56:10 UTC 2007
Fair enough, the definition of the solution might be a bit more
complex then, but that doesn't mean the problem as I raised it and
others expanded on it does not exist.
Perhaps we need to phrase this in requirements for the OP and the RP.
Let me try -- I'm sure people will find holes in this, but perhaps it
gets us a step further: first, for brevity, define SEQU the list of
"semantically equivalent URLs" as listed below.
For OPs:
OPs MUST ensure that if it makes available more than one identifier
in an SEQU for use as an OpenID, all identifiers in the SEQU are
controlled by the same party.
For RPs:
RPs MUST ensure that all identifiers in a SEQU are associated with
the same account, provided, however, that an account last accessed
with an HTTPS identifier in the SEQU must be prevented from being
accessed with an HTTP identifier in the SEQU unless the account
owner, authenticated using an HTTPS identifier, has specifically
allowed it. (The idea is to only allow the ratcheting up of
security, not down)
How's that?
On Sep 19, 2007, at 16:00, Josh Hoyt wrote:
> On 9/19/07, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
>> On Sep 19, 2007, at 15:12, Josh Hoyt wrote:
>>> If I understand correctly, you are proposing to solve this
>>> problem by
>>> defining identifiers differentiated only by scheme to be equivalent.
>>> Is that correct?
>>
>> On reflection, just the following ones:
>>
>> http://foo/bar
>> http://foo:80/bar
>> http://foo:443/bar
>> https://foo/bar
>> https://foo:80/bar
>> https://foo:443/bar
>
> If you define those identifiers to be equivalent, then the exposure
> for one party controlling the identifier with HTTP and another party
> controlling the identifier with HTTPS is much worse than an
> impersonation attack (it's complete compromise of the identifier).
> Defining those to be equivalent does not solve this problem.
>
> Josh
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list