[OpenID] Reconsidering http://openid different from https://openid
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Sep 24 23:31:16 UTC 2007
Pat Patterson wrote:
>
> On the other hand, let's say I compromise the someidp.com web site.
> Again, if an RP does discovery on http://eddy.someidp.com, I am free
> to send the RP anywhere I like, http or https.
Correct. This is one of the reasons why I personally lobby for a minimal
requirement standard for operating OpenID providers (or something along
this lines). In order to minimize the chance for compromise of providers.
>
> As far as I can see, it's only by the RP doing discovery
> on https://eddy.someidp.com that he gains any benefit from HTTPS.
Absolutely! And certificates should be issued by CAs known to issue only
to domain owners (e.g. minimum domain validated), otherwise there isn't
any benefit either.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070925/dff48615/attachment-0002.htm>
More information about the general
mailing list