[OpenID] Bug in OpenID RP implementations
Andrew Arnott
andrewarnott at gmail.com
Fri Jan 2 02:34:27 UTC 2009
That sounds like a good solution.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Thu, Jan 1, 2009 at 6:59 PM, Peter Watkins <peterw at tux.org> wrote:
> On Thu, Jan 01, 2009 at 07:44:58PM -0600, Eric Norman wrote:
>
> > In any case, I suggest that y'all rethink the notion that
> > URLs that only differ by that "s" can represent different
> > entities. I note that the above statement about what
> > OpenID needs makes an implicit assumption that such URLs
> > would represent the same entity.
>
> I think it would be fair to assume that an https idenitifier
> was equivalent to an http identifier (switching to https implies
> an improvement in the security of the assertion), but the same
> could NOT be said for someone presenting an http identifier.
> Once I've logged in with https://my.yahoo.com/, I don't want
> an RP deciding that http://my.yahoo.com/ is "good enough".
>
> It would be nice if the next spec clarified this -- it would pave
> the way for OPs like AOL to upgrade the security of their service
> without hurting usability.
>
> -Peter
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/190d2619/attachment-0002.htm>
More information about the general
mailing list