[OpenID] Bug in OpenID RP implementations
Martin Atkins
mart at degeneration.co.uk
Fri Jan 2 00:40:06 UTC 2009
Andrew Arnott wrote:
>
> Ideally, myopenid.com and all other OPs would redirect identity page
> requests that come in on HTTP to HTTPS so that all claimed identifiers and
> authentication would occur over HTTPS to provide higher security to users.
>
Of course, as we currently stand existing providers such as MyOpenID
cannot do this because that would effectively change the OpenID
identifiers for all of their users that had not explicitly typed teh
https: prefix into the RP.
OpenID really needs a way to migrate from one identifier to another
without breaking the connection to existing accounts.
More information about the general
mailing list