[OpenID] RPs accepting https:// identifiers

Gerald Beuchelt beuchelt at sun.com
Mon Aug 11 20:37:26 UTC 2008 

    A good point that I would address by proposing not full equality of 
the https:// and http:// identifiers, but instead have the RP  perform a 
one-time security 'upgrade':

    Assuming that the RP recognizes a particular claimed_id e.g. 
http://openid.sun.com/user. Whenever there is a login with the same 
identifier over HTTPS (i.e. claimed_id is https://openid.sun.com/user in 
the example), the RP can 'upgrade' the account to an HTTPS-only account.

  On the OP side, any account for https://x.y.z should trigger the 
complete block for any http://x.y.z ids.

Best,

Gerald

Sam Alexander wrote:
> I've had some chats about this, and it would seem one problem would be 
> that if an OP does not require HTTPS-only, a user using their HTTPS 
> identifier exclusively would suddenly become vulnerable because if 
> their HTTP identifier were comprised, their entire account would be.
>
> -Sam
>
> On Aug 11, 2008, at 2:44 PM, Gerald Beuchelt wrote:
>
>> In light of the recent security issues, we have decided to improve 
>> the security 
>> <http://blog.beuchelt.org/2008/08/11/Securing+OpenIDWork+Again.aspx> 
>> of our OpenID at Work service/experiment.
>>
>> In a nutshell, we would like to require all users to use https:// 
>> prefixed OpenID identifier, so that RPs normalize and discover over 
>> HTTPS, instead of HTTP. The obvious issue is that -- to my knowledge 
>> -- https://openid.sun.com/user != http://openid.sun.com/user. At this 
>> point I see an opportunity for the OpenID community to address some 
>> of the recent vulnerabilities: if RPs started to recognize both 
>> https:// and http:// prefixed identifiers as the same entity, or at 
>> least allowed easy linking, users could migrate with a lot more ease.
>>
>> This would be less than a mandate for SSL, but make migration a lot 
>> less painful... Your thoughts?
>>
>> Gerald Beuchelt
>> Sun Microsystems, Inc.
>> _______________________________________________
>> general mailing list
>> general at openid.net <mailto:general at openid.net>
>> http://openid.net/mailman/listinfo/general
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080811/bb5664b9/attachment-0002.htm>

More information about the general mailing list