[OpenID] Reconsidering http://openid different from https://openid

Paul C. Bryan email at pbryan.net
Thu Sep 20 22:55:14 UTC 2007 

On Thu, 2007-09-20 at 19:22 +0100, Jack wrote:

> My point is simply that treating the two ids as distinct defeats the
> attractive features of OpenID

Perhaps. Though, in reality, the two IDs are distinct, because they
result in different requests to different ports, potentially to two
separate pieces of server software[1]. We can't enforce web server
operators worldwide make HTTP==HTTPS by fiat.

OpenID is built on the HTTP(s) protocol, and inherited the distinction
between the these two different schemes. No amount of standard-setting
in OpenID will change this (though I would argue that OpenID has
exacerbated this by not specifying a method of canonicalization, leaving
this up to implementers of OpenID consumers).

> If the two ids are distinct, every single one of these benefits is
> dissolved, at least as far as non-geeks are concerned, and everyone
> here might as well go home, AFAICS.

They are in fact distinct. Let's start rational discussion of any
possible solutions with the premise that HTTP is HTTP[2] and HTTP is not
HTTPS or vice versa.

> A solution that I suppose would cover most of these problems would be
> to require HTTPS.

I'm operating on the presumption by this you mean to exclude HTTP as a
valid identifier scheme. For what you suppose to be true, every server
hosting an OpenID identifier will require:

* a separate IP address (no multiple hostnames on the same IP)
* a valid TLS certificate, issued by a trusted third party ($$$)

Furthermore, all consumers must:

* canonicalize ambiguous identifiers to an HTTPS URLs (not HTTP as they
do today)
* verify the certificate of the server they connect to

> I believe that HTTP is permitted only because some webserver software
> might not have the requisite libraries.

I think it's because HTTP is easy and cheap, and HTTPS is hard(er) to
setup, and more resource-intensive (on IP addresses, CPU, $$$).

[1] If a load balancer or other routing technology is used, even two
separate systems on the network.

[2] http://en.wikipedia.org/wiki/Law_of_identity
Not to be confused with Kim's laws of identity, this is the tautology
that something is itself (and not something else).

Paul

More information about the general mailing list