[OpenID] Reconsidering http://openiddifferent from https://openid

[Peter Williams]

There is a reason why XRI, HXRI and FOAF discovery work for a uniform identity using the URI name form - whereas  http/https resolution does not.
 
In the working cases, there is an active resolver other than locator mechanismn built into HTTP/HTTP. Its  a thirdparty resolver process that is being trusted to enforce a consistent set of identity semantics, given suitable knowledge held only by the resolver.
 
(a) XRI - the resolver is the RP process
(b) XHRI - the resolver is the XRI proxy process
(c) FOAF - the resolver is the RDF induction engine either in the RP or at a proxy.
 
Neither the web nor DNS were designed to act as a secure name service (outside of milnet). Forcing the web/DNS itself to impose a consistent identitybased on its 80/20 design concept is unlikly to ever work well.
 
One can still use URIs as the name form, but a trusted resolver must be applied   if you are going to base an web-friendly authnetication protocol on secure discovery - rather than the PKI/WOT used in https.
________________________________

From: general-bounces at openid.net on behalf of Johnny Bufu
Sent: Thu 9/20/2007 10:10 AM
To: Jack
Cc: OpenID List
Subject: Re: [OpenID] Reconsidering http://openiddifferent from https://openid




On 20-Sep-07, at 6:16 AM, Jack wrote:

> So an RP that maintains ACLs should de-normalise the id before
> recording it in their ACL tables, confident in the knowledge that 
> no OP
> may treat an https id as distinct from an http id

The RP can do that, but I don't think that's a good idea, for the 
same reasons discussed throughout this thread.

The spoofed-DNS OP will make the person behind the HTTP URL 
(attacker) different than the person behind the HTTPS URL (legitimate 
user).


Johnny

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general