[OpenID] Bug in OpenID RP implementations
Peter Watkins
peterw at tux.org
Fri Jan 2 01:59:52 UTC 2009
On Thu, Jan 01, 2009 at 07:44:58PM -0600, Eric Norman wrote:
> In any case, I suggest that y'all rethink the notion that
> URLs that only differ by that "s" can represent different
> entities. I note that the above statement about what
> OpenID needs makes an implicit assumption that such URLs
> would represent the same entity.
I think it would be fair to assume that an https idenitifier
was equivalent to an http identifier (switching to https implies
an improvement in the security of the assertion), but the same
could NOT be said for someone presenting an http identifier.
Once I've logged in with https://my.yahoo.com/, I don't want
an RP deciding that http://my.yahoo.com/ is "good enough".
It would be nice if the next spec clarified this -- it would pave
the way for OPs like AOL to upgrade the security of their service
without hurting usability.
-Peter
More information about the general
mailing list