[OpenID] Reconsidering http://openid different from https://openid

John Kemp john at jkemp.net
Thu Sep 20 20:20:47 UTC 2007 

It seems to me that Johannes has a point, which has been echoed by
others that OpenID needs to be understandable to people in the street,
and telling people that they need to put http: or https: in front of
their OpenID is not a nice thing to have to say.

I don't really hear any disagreement from anyone.

However, there have been different means suggested to achieve this facility:

i) Make a requirement or two in the spec. that says that identifiers
differing with respect only to the scheme MUST be considered in some way
identical.
ii) Write best practices, or guidelines that should be widely adopted -
such as
 - only issue/accept https identifiers
 - reserve an identifier of one scheme for the "owner" of the identifier
containing the other scheme
 - allow upgrading of HTTP -> HTTPS in some other ways
 - ...
But saying directly in the specification that two identifiers which are
obviously different lexically are actually the same (only for the
purposes of OpenID) seems like a bad idea. Such writing conflicts with
what is true to the eyes - https://op.com/john.kemp /looks like/ a
different identifier than http://op.com/john.kemp (and it looks even
more different to a piece of software that directly reads each
character!) If you define equivalence in this way, I think it can only
get more confusing for humans, and software. And an OpenID is no longer
a URL, but something else.

There are in addition, unknown, or at best vaguely known security
considerations involved in choosing such a path.

If people are committed to making OpenID easy to understand (again, I
didn't hear any argument from anyone against that notion), then why
wouldn't they simply all implement the "best practices"? If this is the
case, the same goal can surely be achieved without the mandatory
requirements in specification text.

No need for tortuous mandatory requirements in the specification that
conflict with a standard human reading of (albeit normalized) URIs?

Regards,

- John

More information about the general mailing list