[OpenID] Reconsidering http://openid different from https://openid
Pat Patterson
Andrew.Patterson at Sun.COM
Mon Sep 24 22:46:07 UTC 2007
OK - I get it now. Thanks, Josh!
Cheers,
Pat
On Sep 24, 2007, at 3:41 PM, Josh Hoyt wrote:
> On 9/24/07, Pat Patterson <Andrew.Patterson at sun.com> wrote:
>> Let's say I compromise DNS, sending traffic for eddy.someidp.com
>> to www.myevilidp.com.
>> To initiate the discovery process, you type in http://
>> eddy.someidp.com at an RP. The RP
>> goes to www.myevilidp.com and he is in my clutches. I can send the
>> RP to an http or
>> https endpoint of my choosing.
>
> The suggestion in the specification is valid *because* the HTTP and
> HTTPS identifiers are different from each other. If you compromise
> http://myid.invalid/ when all it was doing was redirecting to
> https://myid.invalid/, you can sign in as http://myid.invalid/, but
> that won't get you any closer to gaining access to resources that are
> tied to the identifier. All you can do is remove the convenient
> redirect that saves me typing and lets people automatically discover
> that the HTTPS identifier is me.
>
> The redirect is part of the URL normalization process for OpenID.
> Redirects tell the relying party to use a different identifier instead
> of the identifier that was entered.
>
> Hope that helps,
> Josh
- - - - -
Pat Patterson
Federation Architect, Sun Microsystems, Inc.
pat.patterson at sun.com - http://blogs.sun.com/superpat
- - - - -
Join OpenSSO today! http://opensso.dev.java.net/
- - - - -
More information about the general
mailing list