[OpenID] RPs accepting https:// identifiers
Sam Alexander
sxalexander at gmail.com
Mon Aug 11 20:30:09 UTC 2008
I've had some chats about this, and it would seem one problem would be
that if an OP does not require HTTPS-only, a user using their HTTPS
identifier exclusively would suddenly become vulnerable because if
their HTTP identifier were comprised, their entire account would be.
-Sam
On Aug 11, 2008, at 2:44 PM, Gerald Beuchelt wrote:
> In light of the recent security issues, we have decided to improve
> the security of our OpenID at Work service/experiment.
>
> In a nutshell, we would like to require all users to use https://
> prefixed OpenID identifier, so that RPs normalize and discover over
> HTTPS, instead of HTTP. The obvious issue is that -- to my knowledge
> -- https://openid.sun.com/user != http://openid.sun.com/user. At
> this point I see an opportunity for the OpenID community to address
> some of the recent vulnerabilities: if RPs started to recognize both https://
> and http:// prefixed identifiers as the same entity, or at least
> allowed easy linking, users could migrate with a lot more ease.
>
> This would be less than a mandate for SSL, but make migration a lot
> less painful... Your thoughts?
>
> Gerald Beuchelt
> Sun Microsystems, Inc.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080811/35ac4013/attachment-0002.htm>
More information about the general
mailing list