[OpenID] Reconsidering http://openid different from https://openid

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon Sep 24 11:05:45 UTC 2007 

The 2.0 Spec draft ( 
http://openid.net/specs/openid-authentication-2_0-12.html ) speaks about 
something different:


      Abstract

OpenID Authentication uses only standard HTTP(S) requests and responses, 
so it does not require any special capabilities of the User-Agent or 
other client software. OpenID is not tied to the use of cookies or any 
other specific mechanism of Relying Party or OpenID Provider session 
management. Extensions to User-Agents can simplify the end user 
interaction, though are not required to utilize the protocol.

and throughout the specs:

Identifier:
    An Identifier is either a "http" or "https" URI, (commonly referred
    to as a "URL" within this document), or an XRI (Reed, D. and D.
    McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” .)
    <http://openid.net/specs/openid-authentication-2_0-12.html#XRI_Syntax_2.0>
    [XRI_Syntax_2.0]. This document defines various kinds of
    Identifiers, designed for use in different contexts.


      7.2.  Normalization

#  Otherwise, the input SHOULD be treated as an http URL; if it does not 
include a "http" or "https" scheme, the Identifier MUST be prefixed with 
the string "http://". If the URL contains a fragment part, it MUST be 
stripped off. See Section 11.5.2 (HTTP and HTTPS URL Identifiers) for 
more information.


      11.5.2.  HTTP and HTTPS URL Identifiers

Relying Parties MUST differentiate between URL Identifiers that have 
different schemes. When end user input is processed into a URL, it is 
processed into a HTTP URL. If the same end user controls the same URL, 
differing only by scheme, and it is desired that the Identifier be the 
HTTPS URL, _*it is RECOMMENDED that a redirect be issued from the HTTP 
URL to the HTTPS URL*_. Because the HTTP and HTTPS URLs are not 
equivalent and the Identifier that is used is the URL after following 
redirects, there is no foreseen reduction in security when using this 
scheme. If an attacker could gain control of the HTTP URL, it would have 
no effect on the HTTPS URL, since the HTTP URL is not ever used as an 
Identifier except to initiate the discovery process.


-- 
Regards 
 
Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390
 




Stephane Bortzmeyer wrote:
> On Thu, Sep 20, 2007 at 03:55:14PM -0700,
>  Paul C. Bryan <email at pbryan.net> wrote 
>  a message of 59 lines which said:
>
>   
>> OpenID is built on the HTTP(s) protocol,
>>     
>
> Checking the specification, it does not seem so. The specification
> apparently only says that the identifier has to be resolvable (an URL,
> not just any URI), which includes ftp:// URLs (and gopher:// :-)
>
> That's why it would be a bad idea to make a special case for
> http/https by saying that they must be the same. This would break the
> simple rule that an identifier is any URL.
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070924/82450d31/attachment-0002.htm>

More information about the general mailing list