[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Cameron King
cameron at uniquekings.com
Sat Jan 12 19:14:07 UTC 2008
I'm coming into this game late, but with a heavy interest and high hopes
- so please correct me if I say something that's too far off in left field.
My only real concern with having https be the default protocol for
OpenIDs is that vhosted sites who want to delegate become more
complicated - probably requiring a plan upgrade just for that SSL and
dedicated IP. We can't easily "autodetect" either without causing
spoofing issues on vhosts.
If all RP's accept https addresses when fully specified though, you
might be able to get that end-to-end encryption for yourself without
causing problems for vhosts.
Eddy Nigg (StartCom Ltd.) wrote:
> Well, I suggested that more than a year ago just to get booed down...it
> really should be part of the policy
>
> Sean Reilly wrote:
>>
>> I think the point is that OpenIDs should start with https: so that
>> there is no http->https redirection needed. If any step of the
>> process goes through a normal http exchange/redirect then there is a
>> weak link in the chain where a bad guy could take over the
>> authentication.
--
Cameron King
More information about the general
mailing list