[OpenID] Bug in OpenID RP implementations
Peter Williams
pwilliams at rapattoni.com
Thu Jan 1 23:02:53 UTC 2009
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Eric Norman
> Sent: Thursday, January 01, 2009 2:50 PM
> To: OpenID List
> Subject: Re: [OpenID] Bug in OpenID RP implementations
>
>
> On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:
>
> > The openid 2 spec says in section 15 (a non-normative must, note):
> >
> > "In order to get protection from SSL, SSL must be used for all parts
> > of the interaction, including interaction with the end user through
> > the User-Agent."
>
> When I include "https:" in my OpenID, I'm saying that I
> want protection by SSL, right?
[Peter Williams]
That was what I would have thought. It aligns with any other website https URL, used in any browser. But what I think is typically wrong more than half the time. And, a form field is not an address bar (not that the average consumer will be cognizant of the difference security semantics - even after oodles of EV marketing about the magical significance of green backgrounds).
We can guess that the wordpress RP properly used https to discover (I've no way to tell tho.).
I'd have "expected" discovery to fail, on being unable to find an https OP endpoint in the metadata.
But, I cannot find anything in the spec that says that. It's just intuition (and kind of agreeing with the _non normative_ must).
Since metadata authorization/control is in the hands of users, are they allowed to screw their configuration? Well yes.
Perhaps the spec is being too permissive, and allowing users to too easily screw up.
My blog provider (MSN Spaces) go one step further, and strips any and ALL meta tags out of my site, when I edit them in by hand)
>
> So if something elsewhere decides not to use SSL for
> whatever reason, that would be incorrect behavior, right?
>
> And let's not forget that the error message I quoted is
> clearly inappropriate.
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list