[OpenID] Doubts about SSL and direct requests between RP and OP

Andrew Arnott andrewarnott at gmail.com
Wed Feb 9 15:58:28 UTC 2011 

I didn't get the idea that Kleber wanted to avoid standard signature
verification.  Historically HTTPS OpenIDs caused problems for lesser RP
implementations and it sounds like Kleber wants pure-HTTPS that won't cause
these problems for RPs.

My answer for Kleber, if I'm right, is yes, pure-SSL is achievable by an OP
without compromising RPs at this point.  I can't think of any worthwhile RPs
that haven't worked out all their SSL issues by this point.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
We're hiring! My team at Microsoft has 7 open slots. http://bit.ly/dK7uPO
http://bit.ly/hmSRh2http://bit.ly/gMOqCi http://bit.ly/hr7zMY



On Wed, Feb 9, 2011 at 5:58 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> All of the providers that support theUS ICAM profile have SSL endpoints
> available.   Others probably do but there is no guarantee.
>
> The openID assertion is sent via redirect so it would not be safe to not
> validate the HMAC signature or perform direct validation.
>
> There will be an option for verifying asymmetric signatures in openID ABC.
>
> What is your reason for not doing an association and validating the
> signature that way?
>
> John B.
>
> On 2011-02-09, at 10:46 AM, Kleber - Corujito wrote:
>
> > Is it possible to implement a Provider working (everything) with HTTPS?
> >
> > I mean not just possible, but that normal RPs will be able to use it
> without problems in discovery, association or direct verification.
> >
> > for example, a simple Java or PHP application/installation would be able
> to validate a ssl certificate?
> >
> > Thanks
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110209/ef7be54f/attachment.html>

More information about the general mailing list