[OpenID] Bug in OpenID RP implementations
Andrew Arnott
andrewarnott at gmail.com
Fri Jan 2 00:50:56 UTC 2009
You're right of course, Martin. However, there is something that
myopenid.com could implement today that would resolve the problem over time:
1. All new user accounts automatically get the new behavior of
redirecting to HTTPS. Nothing breaks here.
2. All existing user accounts get an option in their account preferences
to switch on the new redirect behavior.
This is what all OPs could do, and the sooner they do it, the more users
will fall into #1, which is the easiest scenario for the common end user.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Thu, Jan 1, 2009 at 5:40 PM, Martin Atkins <mart at degeneration.co.uk>wrote:
> Andrew Arnott wrote:
> >
> > Ideally, myopenid.com and all other OPs would redirect identity page
> > requests that come in on HTTP to HTTPS so that all claimed identifiers
> and
> > authentication would occur over HTTPS to provide higher security to
> users.
> >
>
> Of course, as we currently stand existing providers such as MyOpenID
> cannot do this because that would effectively change the OpenID
> identifiers for all of their users that had not explicitly typed teh
> https: prefix into the RP.
>
> OpenID really needs a way to migrate from one identifier to another
> without breaking the connection to existing accounts.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/dbc517fb/attachment-0002.htm>
More information about the general
mailing list