[OpenID] RPs accepting https:// identifiers
Gerald Beuchelt
beuchelt at sun.com
Mon Aug 11 19:44:34 UTC 2008
In light of the recent security issues, we have decided to improve the
security
<http://blog.beuchelt.org/2008/08/11/Securing+OpenIDWork+Again.aspx> of
our OpenID at Work service/experiment.
In a nutshell, we would like to require all users to use https://
prefixed OpenID identifier, so that RPs normalize and discover over
HTTPS, instead of HTTP. The obvious issue is that -- to my knowledge --
https://openid.sun.com/user != http://openid.sun.com/user. At this point
I see an opportunity for the OpenID community to address some of the
recent vulnerabilities: if RPs started to recognize both https:// and
http:// prefixed identifiers as the same entity, or at least allowed
easy linking, users could migrate with a lot more ease.
This would be less than a mandate for SSL, but make migration a lot less
painful... Your thoughts?
Gerald Beuchelt
Sun Microsystems, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080811/578360e3/attachment-0002.htm>
More information about the general
mailing list