[OpenID] RPs accepting https:// identifiers
Gerald Beuchelt
beuchelt at sun.com
Mon Aug 11 21:18:38 UTC 2008
Andrew -
I agree with your more general approach--in fact, I would probably
even like RPs to allow association of a particular account with *any*
new OpenID identifier. But that would obviously put an even bigger
burden on the RPs, which is not necessarily something OpenID needs right
now...
To require authentication with the old (http:// based) OpenID, prior
to associating the new (https:// based) identifier should definitively
be part of the 'upgrade' process.
Best,
Gerald
Andrew Arnott wrote:
> Gerald, you are correct in that the spec explicitly says that an
> https:// Identifier not be considered the same as an otherwise
> equivalent http:// Identifier by an RP. I don't know what all the
> reasons are for this, but I can think of a few (which I'll forbear
> listing unless you want to see them).
> I agree the migration path is really bumpy. The spec being what it
> is, the only way to do this is for each and every RP to provide a way
> for its user to login using the old http:// URL, and associate a
> second OpenID to their same account (the one that uses https://).
> Then the OPs should offer an auto-redirect /option/ for their users so
> that when the users are comfortable that they're using their https://
> Identifier at all the RPs they log into, the OP will from that point
> on (for just that user) redirect http:// to https:// automatically for
> them to help them stay with their more secure identity.
> It should be noted though that even with this, http:// is still the
> first request by the RP if the user doesn't explicitly specify
> https:// in the Identifier box, and therefore subject to a DNS
> poisoning attack whenever https:// is not given.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080811/78367868/attachment-0002.htm>
More information about the general
mailing list