[OpenID] web server - outgoing connections?
Peter Williams
pwilliams at rapattoni.com
Wed Jul 23 20:10:18 UTC 2008
If a "backchannel" xrds source sends back a 401, seeking back channel authentication, is it a) conforming to do so b) conforming to respond?
If the xrds source seeks to upgrade an established tcp connection to https (using http 1.1 signals), is it conforming to ask/respond?
________________________________
From: Andrew Arnott <andrewarnott at gmail.com>
Sent: Wednesday, July 23, 2008 12:56 PM
To: Egon Kocjan <egon at krul.ath.cx>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] web server - outgoing connections?
RPs are required to make outgoing HTTP connections, and should use a 'paranoid http library' to mitigate the issue you speak of.
On Wed, Jul 23, 2008 at 10:33 AM, Egon Kocjan <egon at krul.ath.cx<mailto:egon at krul.ath.cx>> wrote:
Hello,
I am new to openid, so forgive me if this will sound obvious. Let's say
I have a web site and I want to support openid, so users of my site will
be able login using their openid url. The trouble I see here is that my
web server will have to connect to random IPs on the internet as a part
of authentication process*, am I right? Is there an authentication mode,
where client's browser does all the outgoing communication?
* why this is a problem:
- I don't want my web server to be used in ddos attacks
- companies that are serious about security usually deny unrestricted
outgoing connections from servers, so it's also a deployment issue
Thanks,
Egon
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
More information about the general
mailing list