[OpenID] Bug in OpenID RP implementations
Martin Atkins
mart at degeneration.co.uk
Fri Jan 2 01:49:37 UTC 2009
Eric Norman wrote:
> On Jan 1, 2009, at 6:40 PM, Martin Atkins wrote:
>
>> OpenID really needs a way to migrate from one identifier to another
>> without breaking the connection to existing accounts.
>
> If RPs do indeed include the "http(s)://" as part of their
> account identifiers, then yep, there's a migration problem.
>
> In any case, I suggest that y'all rethink the notion that
> URLs that only differ by that "s" can represent different
> entities. I note that the above statement about what
> OpenID needs makes an implicit assumption that such URLs
> would represent the same entity.
>
Two URLs that differ only in that the scheme is https vs. http *must* be
considered to be different, otherwise any security benefits offered by
using https are rendered ineffective. (You could just compromise the
non-SSL version, ignoring the SSL version.)
More information about the general
mailing list