thanks for the quick advice.<br><br>Given that diffie hellman is
conducted with the openid provider is there actually any additional
security benefit with using https to communicate with the openid
provider? Does it make it significantly harder to do man in the middle
attacks (if thats its purpose)?
<br><br>I hadn't considered that the identity could be under https but
the server not and vice-versa. Where would you see as the biggest
security benefit to use https?<span class="q"><br><br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
Sxipper also uses SSL, both for the OP-endpoint and for identifiers.<br>For the OP-endpoint we've also defined a lower priority HTTP service<br>endpoint.</blockquote></span><div><br>Do
consumers actually go to the lower priority http service endpoint
automatically if they fail in using the https service? Is this
specified in the protocol?
<br></div><br>Thanks again,<br><span class="sg">Immad</span><br><br><div><span class="gmail_quote">On 13/06/07, <b class="gmail_sendername">Johnny Bufu</b> <<a href="mailto:johnny@sxip.com">johnny@sxip.com</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>On 13-Jun-07, at 2:03 PM, Josh Hoyt wrote:<br><br>>> Are there examples of https openid provider out their? (this might
<br>>> be a<br>>> silly question)<br>><br>> MyOpenID.com supports SSL, but works both ways. For example, both<br>> <a href="https://josh.myopenid.com/">https://josh.myopenid.com/</a> and <a href="http://josh.myopenid.com/">
http://josh.myopenid.com/</a> work.<br><br>Sxipper also uses SSL, both for the OP-endpoint and for identifiers.<br>For the OP-endpoint we've also defined a lower priority HTTP service<br>endpoint.<br><br>Identifiers are HTTPS-only though; providing both HTTP and HTTPS
<br>identifiers to a user may confuse them, because they will end up<br>using different identities if they log into an RP by presenting<br>"<a href="http://user.op.com">user.op.com</a>" vs "<a href="https://user.op.com">
https://user.op.com</a>".<br><br><br>Johnny<br><br>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general">
http://openid.net/mailman/listinfo/general</a><br></blockquote></div><br><br clear="all"><br>-- <br>Cell: +1 617 449 8654<br>Skype: i.akhund<br>Blog: <a href="http://immadsnewworld.blogspot.com">http://immadsnewworld.blogspot.com
</a>