[OpenID] Bug in OpenID RP implementations
Eric Norman
ejnorman at doit.wisc.edu
Fri Jan 2 01:59:40 UTC 2009
On Jan 1, 2009, at 7:49 PM, Martin Atkins wrote:
> Eric Norman wrote:
>> On Jan 1, 2009, at 6:40 PM, Martin Atkins wrote:
>>
>>> OpenID really needs a way to migrate from one identifier to another
>>> without breaking the connection to existing accounts.
>>
>> If RPs do indeed include the "http(s)://" as part of their
>> account identifiers, then yep, there's a migration problem.
>>
>> In any case, I suggest that y'all rethink the notion that
>> URLs that only differ by that "s" can represent different
>> entities. I note that the above statement about what
>> OpenID needs makes an implicit assumption that such URLs
>> would represent the same entity.
>>
>
> Two URLs that differ only in that the scheme is https vs. http *must*
> be
> considered to be different, otherwise any security benefits offered by
> using https are rendered ineffective. (You could just compromise the
> non-SSL version, ignoring the SSL version.)
Of course they're different. You can tell that just
by looking at them. The point is that that doesn't
mean that they have to represent (identify) different
entities. Math geek language: there are mappings that
aren't injective (one-to-one).
Eric Norman
More information about the general
mailing list