[OpenID] RPs accepting https:// identifiers

Andrew Arnott andrewarnott at gmail.com
Mon Aug 11 20:39:24 UTC 2008 

Gerald, you are correct in that the spec explicitly says that an
https://Identifier not be considered the same as an otherwise
equivalent http://Identifier by an RP.  I don't know what all the
reasons are for this, but I
can think of a few (which I'll forbear listing unless you want to see
them).
I agree the migration path is really bumpy.  The spec being what it is, the
only way to do this is for each and every RP to provide a way for its user
to login using the old http:// URL, and associate a second OpenID to their
same account (the one that uses https://).  Then the OPs should offer an
auto-redirect *option* for their users so that when the users are
comfortable that they're using their https:// Identifier at all the RPs they
log into, the OP will from that point on (for just that user) redirect
http:// to https:// automatically for them to help them stay with their more
secure identity.
It should be noted though that even with this, http:// is still the first
request by the RP if the user doesn't explicitly specify https:// in the
Identifier box, and therefore subject to a DNS poisoning attack whenever
https:// is not given.

On Mon, Aug 11, 2008 at 12:44 PM, Gerald Beuchelt <beuchelt at sun.com> wrote:

>  In light of the recent security issues, we have decided to improve the
> security<http://blog.beuchelt.org/2008/08/11/Securing+OpenIDWork+Again.aspx>of our OpenID at Workservice/experiment.
>
> In a nutshell, we would like to require all users to use https:// prefixed
> OpenID identifier, so that RPs normalize and discover over HTTPS, instead of
> HTTP. The obvious issue is that -- to my knowledge --
> https://openid.sun.com/user != http://openid.sun.com/user. At this point I
> see an opportunity for the OpenID community to address some of the recent
> vulnerabilities: if RPs started to recognize both https:// and http://prefixed identifiers as the same entity, or at least allowed easy linking,
> users could migrate with a lot more ease.
>
> This would be less than a mandate for SSL, but make migration a lot less
> painful... Your thoughts?
>
> Gerald Beuchelt
> Sun Microsystems, Inc.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080811/6a26c5d8/attachment-0002.htm>

More information about the general mailing list