[OpenID] Calling OpenID 2.0 editors (wasRE:ProblemswithOpenIDand TAG httpRange-14)
Brendan Taylor
whateley at gmail.com
Thu Mar 13 01:50:07 UTC 2008
Quoted from John's blog entry:
> If my OP is doing its job, my primary key is always a https:// URL so
> that if someone poisons the DNS cache they can spoof the http:// version
> of my identifier but not the https:// version. The RP must not consider
> the two URLs synonyms for the purposes of authentication. They may be
> synonyms for display, and I may have proved control over both, however
> only the URL that results from following all redirects is valid for
> securely logging me into an account.
I agree with everything in this paragraph. It doesn't have anything to do
with 303, though.
Support for 303 wouldn't make anything less secure, it just means that
if you want the security of an HTTPS OpenID, a URL responding with a 303
redirect needs to be https:// too.
> The relationship between the "Input Identifier" and the "Claimed ID" is
> a one way one at best, they are not intended as synonyms.
For the nth time, *nobody thinks they are*.
I'm quite frustrated by this discussion. I don't know what's causing the
failure of understanding here.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080312/6bebb027/attachment-0002.pgp>
More information about the general
mailing list