[OpenID] Bug in OpenID RP implementations

[Josh Hoyt]

On Thu, Jan 1, 2009 at 4:36 PM, Andrew Arnott <andrewarnott at gmail.com> wrote:
> However, I don't agree with all of their decisions (AX
> type URIs and non-https enforcement among them).

The AX type URI thing is a problem that we do indeed need to fix.

> Ideally, myopenid.com and all other OPs would redirect identity page
> requests that come in on HTTP to HTTPS so that all claimed identifiers and
> authentication would occur over HTTPS to provide higher security to users.

The decisions we made regarding requiring HTTPS for identifiers were
made because during the process of implementing and testing OpenID
libraries as well as from library-user feedback, we encountered a
significant fraction of environments where *client* support for HTTPS
for use in the library was not present. As a result, we decided that
we could not redirect all identity page requests (and thus, all OpenID
traffic) to HTTPS without preventing myOpenID users from being able to
sign in at these sites. The CA trust issue raised in this thread is
another variation on this problem.

This presents us with another major problem, which is that even if we
do start redirecting identity page requests to HTTPS, we can't do it
for existing identifiers, because the HTTP and HTTPS identifiers are
distinct. They're distinct precisely so that we *can* derive any
security benefit from using HTTPS at all.

It's additionally problematic that we can't redirect users, because
the vast majority of users will not know (and even if they do know,
it's unlikely that they'll understand) that they should prefer the
HTTPS identifier when given the choice.

I hope that sheds some light on the implementation decisions that
providers face with respect to HTTPS. I think that the situation has
changed somewhat since our original policy decisions were made (most
notably, relying parties now have to support HTTPS in order to allow
Yahoo and Google OpenIDs.)

Josh