[OpenID] Mis-using generation identifiers to request SSL treatment
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Nov 3 05:36:47 UTC 2008
>I'm a bit confused as to what you're trying to achieve here.
I'm not entirely clear, either :)
>Surely the
>https: URI scheme already provides a way to indicate that a URL should
>be fetched over SSL?
Indeed. Yet how well have we done at communicating this to users? How
consistently do they enter their secure URI instead of omitting the
prefix entirely? Solutions have been suggested, if I'm not mistaken,
such as detecting incoming requests from RP's to the HTTP page and
redirecting them to the HTTPS version, or having OpenID headers
stating that only the HTTPS version should be used for OpenID - but
what if the RP contacts a hostile server because its initial request
was not secure? So, in addition to asking the users to PLEASE enter
"https://", every time, could we ask them to add something like
"#secure=true" to their URI?
Also, since the "#" prefix might be used for generation fragments OR
something like this, and because Accessibility is currently being
discussed in another thread, we could (at risk of conflicting with
the URL spec?) reserve '#' for special OpenID settings, such as
configuration changes: generation fragments might have something like
"#gen_frag=001", blind users might have "#blind=true" (which
wouldn't, necessarily, be part of the final claimed URI, but *could*
be used to invoke the RP's blindness-friendly UI, leaving a complex
GUI in place for most users - though, requiring blind users to enter
a few additional characters at the end of their URI), and so on, as
we came up with such ideas.
-Shade
More information about the general
mailing list