[OpenID] Reconsidering http://openid different from https://openid
Pat Patterson
Andrew.Patterson at Sun.COM
Mon Sep 24 15:22:24 UTC 2007
I don't understand this from section 11.5.2:
On Sep 24, 2007, at 4:05 AM, Eddy Nigg (StartCom Ltd.) wrote:
> Because the HTTP and HTTPS URLs are not equivalent and the
> Identifier that is used is the URL after following redirects, there
> is no foreseen reduction in security when using this scheme. If an
> attacker could gain control of the HTTP URL, it would have no
> effect on the HTTPS URL, since the HTTP URL is not ever used as an
> Identifier except to initiate the discovery process.
Surely, if an attacker gained control of the HTTP URL, he would be
free to redirect to an endpoint of his choosing, a clear reduction in
security. Am I missing something?
Cheers,
Pat
- - - - -
Pat Patterson
Federation Architect, Sun Microsystems, Inc.
pat.patterson at sun.com - http://blogs.sun.com/superpat
- - - - -
Join OpenSSO today! http://opensso.dev.java.net/
- - - - -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070924/c28a32e6/attachment-0002.htm>
More information about the general
mailing list