[OpenID] Bug in OpenID RP implementations

Andrew Arnott andrewarnott at gmail.com
Thu Jan 1 23:23:35 UTC 2009 

Right, Eddy.  Eric, an HTTPS claimed id and an HTTP claimed id are required
to be regarded by an RP as completely distinct identities.  And by using
HTTPS you are *only protecting the discovery phase* of authentication.  You
protect the first leg of authentication by making discovery return an HTTPS
OP endpoint URL, and the OP is obliged to protect the rest of authentication
by only redirecting the user agent to HTTPS urls until it finally redirects
back to the RP.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 4:00 PM, Eddy Nigg (StartCom Ltd.) <
eddy_nigg at startcom.org> wrote:

>
> On 01/02/2009 12:49 AM, Eric Norman:
>
> On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:
>
>
>
>  The openid 2 spec says in section 15 (a non-normative must, note):
>
> "In order to get protection from SSL, SSL must be used for all parts
> of the interaction, including interaction with the end user through
> the User-Agent."
>
>
>  When I include "https:" in my OpenID, I'm saying that I
> want protection by SSL, right?
>
>
>
> Your OpenID is https:// then, it's not ncesseraly the same as http and the
> other way around too. It has been many times already mentioned.
>
>  So if something elsewhere decides not to use SSL for
> whatever reason, that would be incorrect behavior, right?
>
>
>
> Correct. However an OP may return the claimed OpenID as https (there are
> for example some OPs which don't do plain http, only https via redirect.
>
>  And let's not forget that the error message I quoted is
> clearly inappropriate.
>
>
>
>
>
>
>   Regards      Signer:  Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
> Jabber:  startcom at startcom.org  Blog:  Join the Revolution!<http://blog.startcom.org>
> Phone:  +1.213.341.0390
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/33561bb0/attachment-0002.htm>

More information about the general mailing list