[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Manger, James H
James.H.Manger at team.telstra.com
Wed Jan 16 05:44:36 UTC 2008
You could selectively redirect to HTTPS (or make other RP-dependent choices)
much more easily if the Relying Party (RP) identified itself during
discovery. For instance, by including a "From:" HTTP request header when
performing a GET on a user-entered identifier. For Trevor's current
situation, he would redirect to HTTPS if, and only if, a "From:" request
header was present.
This was suggested earlier:
http://openid.net/pipermail/specs/2007-October/002007.html
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Trevor Johns
Sent: Friday, 11 January 2008 10:57 PM
To: general at openid.net
Subject: [OpenID] Selectively Redirecting OpenID Traffic To HTTPS
According to the OpenID spec, HTTPS identifiers are recommended over
HTTP. Since the default scheme for a URL identifier is HTTP, the spec
also recommends creating a redirect from the HTTP version of a URL to
the HTTPS version of a URL when possible.
While creating this redirect isn't itself a problem, I don't want to
send visitors to the HTTPS version of my site unless necessary. Is
there any way to selectively redirect OpenID traffic to HTTPS without
affecting normal traffic?
More information about the general
mailing list