[OpenID] Bug in OpenID RP implementations

Andrew Arnott andrewarnott at gmail.com
Thu Jan 1 23:26:51 UTC 2009 

SP?  Do you mean RP?  SP is an acronym that applies to OAuth.  OpenID uses
RP and OP.  I assume by SP you mean RP here...

The OpenID 2.0 spec section
15<http://openid.net/specs/openid-authentication-2_0.html#security_considerations>calls
out several opt-in measures that an RP or OP can take to increase
security for the authentication process.  But no, as has been stated an RP
is not obliged per (my reading of) the spec to require that if discovery is
done using HTTPS that authentication must also be done using HTTPS.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 4:07 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

>  Is the SP right or wrong to redirect to an http OP endpoint, given an
> https openid, in your understanding of the spec (and what it means to be a
> conforming implementation)?
>
>
>
>
>
> Though operating in openid1 legacy mode, neither SP not OP objected –
> probably because the spec does call out for code to raise an exception –
> presumably because it isn't one, formally.
>
>
>
> *From:* general-bounces at openid.net [mailto:general-bounces at openid.net] *On
> Behalf Of *Eddy Nigg (StartCom Ltd.)
> *Sent:* Thursday, January 01, 2009 3:00 PM
> *Cc:* OpenID List
> *Subject:* Re: [OpenID] Bug in OpenID RP implementations
>
>
>
>
> On 01/02/2009 12:49 AM, Eric Norman:
>
> On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:
>
>
>
>
>
> The openid 2 spec says in section 15 (a non-normative must, note):
>
>
>
> "In order to get protection from SSL, SSL must be used for all parts
>
> of the interaction, including interaction with the end user through
>
> the User-Agent."
>
>
>
>
>
> When I include "https:" in my OpenID, I'm saying that I
>
> want protection by SSL, right?
>
>
>
>
> Your OpenID is https:// then, it's not ncesseraly the same as http and the
> other way around too. It has been many times already mentioned.
>
>
>
>
> So if something elsewhere decides not to use SSL for
>
> whatever reason, that would be incorrect behavior, right?
>
>
>
>
> Correct. However an OP may return the claimed OpenID as https (there are
> for example some OPs which don't do plain http, only https via redirect.
>
>
>
>
> And let's not forget that the error message I quoted is
>
> clearly inappropriate.
>
>
>
>
>
>
>
>
>
> Regards
>
>
>
> Signer:
>
> Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
>
> Jabber:
>
> startcom at startcom.org
>
> Blog:
>
> Join the Revolution! <http://blog.startcom.org>
>
> Phone:
>
> +1.213.341.0390
>
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/ebf869f3/attachment-0002.htm>

More information about the general mailing list