[OpenID] rfc2817: https vs http
Peter Williams
pwilliams at rapattoni.com
Wed Aug 27 20:06:06 UTC 2008
The rfc upgrades a single http channel to have ssl protections. This is not the same as https, which has a hypermeda security model involiv. Unfortunately, the https protocol was never documented by the design team, tho the https rfc that was written up, minimally, was done by someone who believed in a channel (vs centric) model for http needs. That ethos was his own contribution after all, in the era when security models for http/web1.0 were being argued.
-----Original Message-----
From: Story Henry <henry.story at bblfish.net>
Sent: Wednesday, August 27, 2008 12:58 PM
To: OpenID General <general at openid.net>
Subject: [OpenID] rfc2817: https vs http
Apparently rfc2817 allows an http url tp be used for https security.
Given that Apache seems to have that implemented [1] and that the
openid url is mostly used for server to server communication, would
this be a way out of the http/https problem?
I know that none of the browsers support it, but I suppose that if the
client does not support this protocol, the server can redirect to the
https url? This seems like it could be easier to implement that XRI .
Disclaimer: I don't know much about rfc2817
Henry
[1] http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg00251.html
http://www.ietf.org/rfc/rfc2817.txt
Home page: http://bblfish.net/
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list