[OpenID] Reconsidering http://openid different from https://openid
Christopher St John
ckstjohn at gmail.com
Sat Sep 22 07:38:15 UTC 2007
On 9/21/07, Dick Hardt <dick at sxip.com> wrote:
>
> I have a view that long term users will rarely if ever be directly
> managing their URLs. This will be driven for two reasons:
>
> 1) security -- in order to address the security risks of a malicious
> RP proxying the user, there will be client side code managing the
> URLs and securing the connection between the user and the OP
>
Given the current limited usage of such client side code in this
space, it's an issue now and for the medium-term future.
Besides, requiring client-side code seems like a big barrier to
adoption. I know it would be for me.
> ... we need to ensure that we don't create a security hole with
> how we deal with different schemes and ports.
>
But there are an infinite number of threats, most of which aren't
worth worrying about. I'm claiming this one is a red herring, but
to really decide:
http://identityblog.burtongroup.com/bgidps/2007/09/what-is-openid-.html
-cks
--
Christopher St. John
http://artofsystems.blogspot.com
More information about the general
mailing list