[OpenID] Reconsidering http://openid different from https://openid

[Jack]

Johnny Bufu wrote:
> 
> On 20-Sep-07, at 6:16 AM, Jack wrote:
> 
>> So an RP that maintains ACLs should de-normalise the id before 
>> recording it in their ACL tables, confident in the knowledge that 
>> no OP may treat an https id as distinct from an http id
> 
> The RP can do that, but I don't think that's a good idea, for the 
> same reasons discussed throughout this thread.
> 
> The spoofed-DNS OP will make the person behind the HTTP URL 
> (attacker) different than the person behind the HTTPS URL (legitimate
>  user).

I appreciate the vulnerability, and I don't have a solution. I'm not a
security consultant or an identity specialist.

My point is simply that treating the two ids as distinct defeats the
attractive features of OpenID:

* It's simple enough for everyman to understand how to use it
* You can be your own provider, and not be a 2nd-class citizen
* you can delegate an OPs ID to your own site just by writing a few
   <link> tags, and so use your website's URL as your ID (and at the
   same time create an ID that has the same amount of permanence as your
   website).

If the two ids are distinct, every single one of these benefits is
dissolved, at least as far as non-geeks are concerned, and everyone here
might as well go home, AFAICS.

A solution that I suppose would cover most of these problems would be to
require HTTPS. I believe that HTTP is permitted only because some
webserver software might not have the requisite libraries. I think
that's a poor reason for breaking all those benefits, given that most
people _do_ have access to SSL libraries.

-- 
Jack.