[OpenID] Reconsidering http://openid different from https://openid

George Fletcher gffletch at aol.com
Thu Sep 20 12:33:28 UTC 2007 


Joseph Holsten wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Sep 19, 2007, at 12:58 PM, Johnny Bufu wrote:
>
>>
>> On 19-Sep-07, at 7:07 AM, George Fletcher wrote:
>>
>>> But isn't that a choice of the RP?  The RP could allow the user to
>>> select an option that says that only https identifiers are
>>> allowed.  That would protect the user from the attack of someone
>>> using an http identifier.  This could be the default option and the
>>> user could turn it off if they want.
>>
>> OpenID being user-centric, and the user being the "owner" of the
>> identifier, I'd say it should be the user's choice.
> This, and not adding complexity to to OpenID spec cause me to support 
> the IDs as seperate.
>
> As an implementor, I would not think OpenID would normalize, or 
> otherwise merge, two unique identifiers beyond the standard 
> normalization for URI/XRI.
> The benefits of using a URI/XRI as an identifier disappear when we add 
> extra normalization to these identifiers. Let's either use those 
> identifiers or bite the bullet and start calling me 
> openid://josephholsten.com
>
So I think I'm convinced now of this as well. I don't think the spec can 
do anything to "solve" this issue.  However, I realized that in the use 
case Johannes proposed, the issue isn't about RP or OP and identifiers, 
its about how the user communicates their identifier to another person 
or party.

If my OP always redirects my http://george.op.example to 
https://george.op.example then my claimed identifier at all RPs is 
really https://george.op.example.  However, I don't know this so when 
someone asks for my OpenID I give them http://george.op.example because 
that's what I enter at all the RPs.  If this URL is added to the ACL 
with out first being normalized per section 7.2 (OpenID 2.0 draft 12) 
then when I try and access the site, I will be rejected because the site 
will have a claimed_id of https://george.op.example and the ACL will 
have http://george.op.example.

This is just too confusing for users. Especially when the OP can change 
the claimed_id from what the user entered (albeit the only change being 
from http to https).

It seems that a RP maintaining an ACL must normalized any user 
communicated identifier before adding it to the ACL. That, matched with 
OP's following a best practice of redirecting http to https should solve 
most of the issues.  If the user choses to use delegation then they are 
on their own to understand the intricacies of the spec:)

Thanks,
George
> http:// Joseph Holsten .com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iD8DBQFG8YEdxYqeHL30HVYRAhCuAJ4qCev3rQmtGaUbb6GT2taaAc5CKQCff1YT
> tPvuXtAoxkaVoYu6DiNCyWc=
> =lUPe
> -----END PGP SIGNATURE-----
>

More information about the general mailing list