[OpenID] Reconsidering http://openid different from https://openid

Dick Hardt dick at sxip.com
Sat Sep 22 03:16:33 UTC 2007 

On 20-Sep-07, at 7:03 PM, Johannes Ernst wrote:

>
>> I believe the question should be framed around what solution can be
>> (primarily) secure and (secondarily) intuitive. I believe any  
>> attempt to
>> equate HTTP and HTTPS OpenID URLs will result in a significant, and
>> unacceptable, loss of security.
>
> This is where my priorities are different. (I hear the screams  
> already as I write this)
>
> A consumer-facing technology like OpenID that is secure but not  
> intuitive will be neither, because it will not be adopted: 0 times  
> whatever makes 0, whether it is secure or whatever. People will use  
> alternative, more intuitive technologies, who are very likely even  
> less secure.
>
> A consumer-facing technology like OpenID that is intuitive but not  
> secure can still reach 100% market share in a very large market:  
> SMTP and e-mail comes to mind first, and countless others.
>
> But what I'd like to challenge us all is to find a solution to this  
> problem that is intuitive and moderately secure, and can be used in  
> a manner that may be less intuitive but more secure after some  
> additional user education or additional conventions or what have  
> you that are less general.
>
> So ... I believe what I proposed earlier might fit the bill,  
> perhaps with some more fiddling. I would go for a "recommended"  
> instead of a "must" if that's what it takes to make some progress  
> on this.

I have a view that long term users will rarely if ever be directly  
managing their URLs. This will be driven for two reasons:

1) security -- in order to address the security risks of a malicious  
RP proxying the user, there will be client side code managing the  
URLs and securing the connection between the user and the OP

2) simplicity -- URLs are pretty geeky to users. Note how modern  
browsers will get a user to http://www.amazon.com/  even when the  
user only enters "amazon" in the address bar.

Given that, I don't we need to make URLs easier for users to work  
with, and we need to ensure that we don't create a security hole with  
how we deal with different schemes and ports.

my $0.02

-- Dick

More information about the general mailing list