[OpenID] Bug in OpenID RP implementations
Martin Atkins
mart at degeneration.co.uk
Fri Jan 2 04:38:15 UTC 2009
Eric Norman wrote:
>
> So just what is your point here? Are you saying that it
> should be either one or the other, but not both? Or are
> you actually arguing that both should be allowed and
> indeed refer to different entities?
>
> And if there's a choice to be made, who makes it?
>
> Or perhaps I should put it this way if you consider the
> DNS poisoning argument compelling.
>
> Shame on the OpenID community for designing a protocol
> that is insecure from its birth (by using http). And
> with no easy way to fix it.
>
The recommended approach for deploying the technology as it currently
stands is for the provider to issue a permanent redirect from the http:
URL to a https: URL, which causes RPs to use the https: URL as the
identifier.
Some providers don't do this, of course.
There is an outstanding issue that there is no way to "move" an OpenID
identifier, which impacts the ability for a previously-http: identifier
to become an https: identifier, but also causes other problems such as
when a user changes providers or when a provider wants to change the URL
in some other way. This issue is known but a satisfactory solution has
not yet been found except the email-like solution of just keeping the
old URL around as an alias for the new one.
More information about the general
mailing list