[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Trevor Johns
trevor at tjohns.net
Sun Jan 13 01:59:44 UTC 2008
On Jan 12, 2008, at 11:14 AM, Cameron King wrote:
> My only real concern with having https be the default protocol for
> OpenIDs is that vhosted sites who want to delegate become more
> complicated - probably requiring a plan upgrade just for that SSL and
> dedicated IP. We can't easily "autodetect" either without causing
> spoofing issues on vhosts.
>
> If all RP's accept https addresses when fully specified though, you
> might be able to get that end-to-end encryption for yourself without
> causing problems for vhosts.
Yes, that's correct.
Though, the important part is that HTTPS requests are signed and
there's a chain of trust leading back to a recognized CA. The
encryption isn't that beneficial (except when entering your password),
since there's nothing sensitive in an OpenID exchange. :)
--
Trevor Johns
http://tjohns.net
More information about the general
mailing list