[OpenID] Reconsidering http://openid different from https://openid
Johnny Bufu
johnny at sxip.com
Thu Sep 20 17:10:11 UTC 2007
On 20-Sep-07, at 6:16 AM, Jack wrote:
> So an RP that maintains ACLs should de-normalise the id before
> recording it in their ACL tables, confident in the knowledge that
> no OP
> may treat an https id as distinct from an http id
The RP can do that, but I don't think that's a good idea, for the
same reasons discussed throughout this thread.
The spoofed-DNS OP will make the person behind the HTTP URL
(attacker) different than the person behind the HTTPS URL (legitimate
user).
Johnny
More information about the general
mailing list