[OpenID] Reconsidering http://openid different from https://openid
Dick Hardt
dick at sxip.com
Thu Sep 20 03:58:46 UTC 2007
On 19-Sep-07, at 8:56 PM, Johannes Ernst wrote:
> Fair enough, the definition of the solution might be a bit more
> complex then, but that doesn't mean the problem as I raised it and
> others expanded on it does not exist.
>
> Perhaps we need to phrase this in requirements for the OP and the RP.
> Let me try -- I'm sure people will find holes in this, but perhaps it
> gets us a step further: first, for brevity, define SEQU the list of
> "semantically equivalent URLs" as listed below.
>
> For OPs:
> OPs MUST ensure that if it makes available more than one identifier
> in an SEQU for use as an OpenID, all identifiers in the SEQU are
> controlled by the same party.
>
> For RPs:
> RPs MUST ensure that all identifiers in a SEQU are associated with
> the same account, provided, however, that an account last accessed
> with an HTTPS identifier in the SEQU must be prevented from being
> accessed with an HTTP identifier in the SEQU unless the account
> owner, authenticated using an HTTPS identifier, has specifically
> allowed it. (The idea is to only allow the ratcheting up of
> security, not down)
>
> How's that?
Note OPs are not the only one making identifiers available.
More information about the general
mailing list