[OpenID] Reconsidering http://openid different from https://openid
Paul C. Bryan
email at pbryan.net
Thu Sep 20 23:49:07 UTC 2007
On Thu, 2007-09-20 at 19:30 -0400, Christopher St John wrote:
> So, if the question is "What is intuitive?" then the answer is that
> URLs differing only in http vs https point[1] to the same thing and no
> sane person is going to assume they don't.
I don't this can simply be a matter what is intuitive. I think security
is an important (probably paramount) consideration. A reality that many
a security specialist will likely agree with is that security has a
knack for not being intuitive (or easy).
I believe the question should be framed around what solution can be
(primarily) secure and (secondarily) intuitive. I believe any attempt to
equate HTTP and HTTPS OpenID URLs will result in a significant, and
unacceptable, loss of security.
Paul
More information about the general
mailing list