[OpenID] Reconsidering http://openiddifferent from https://openid

Dave Kearns dkearns at gmail.com
Thu Sep 20 18:37:13 UTC 2007 

+1

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]On
> Behalf Of Jack
> Sent: Thursday, September 20, 2007 11:23 AM
> To: OpenID List
> Subject: Re: [OpenID] Reconsidering http://openiddifferent from
> https://openid
> 
> 
> Johnny Bufu wrote:
> > 
> > On 20-Sep-07, at 6:16 AM, Jack wrote:
> > 
> >> So an RP that maintains ACLs should de-normalise the id before 
> >> recording it in their ACL tables, confident in the knowledge that 
> >> no OP may treat an https id as distinct from an http id
> > 
> > The RP can do that, but I don't think that's a good idea, for the 
> > same reasons discussed throughout this thread.
> > 
> > The spoofed-DNS OP will make the person behind the HTTP URL 
> > (attacker) different than the person behind the HTTPS URL (legitimate
> >  user).
> 
> I appreciate the vulnerability, and I don't have a solution. I'm not a
> security consultant or an identity specialist.
> 
> My point is simply that treating the two ids as distinct defeats the
> attractive features of OpenID:
> 
> * It's simple enough for everyman to understand how to use it
> * You can be your own provider, and not be a 2nd-class citizen
> * you can delegate an OPs ID to your own site just by writing a few
>    <link> tags, and so use your website's URL as your ID (and at the
>    same time create an ID that has the same amount of permanence as your
>    website).
> 
> If the two ids are distinct, every single one of these benefits is
> dissolved, at least as far as non-geeks are concerned, and everyone here
> might as well go home, AFAICS.
> 
> A solution that I suppose would cover most of these problems would be to
> require HTTPS. I believe that HTTP is permitted only because some
> webserver software might not have the requisite libraries. I think
> that's a poor reason for breaking all those benefits, given that most
> people _do_ have access to SSL libraries.
> 
> -- 
> Jack.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list