<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I would think that jumping straight to (3) would be much simpler to
implement than including step (2) - no need to guard against
redirection - and no practical difference, as far as I can see.<br>
<br>
Cheers,<br>
<br>
Pat<br>
<br>
John Panzer wrote:
<blockquote cite="mid:469F9BB3.8070200@johnpanzer.com" type="cite">
<pre wrap="">Dmitry Shechtman wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi list,
I just had a really fertile talk with Eddy about “IdP reputation”,
during which I came up with a couple of ideas which I found sound enough
to be shared with the community:
1. If an RP is after strong IdP security, it should only trust IdPs
that have SSL (so it would resolve all identifiers to <a class="moz-txt-link-freetext" href="https://">https://</a>)
</pre>
</blockquote>
<pre wrap=""><!---->
Agreed.
But I have a dumb question before even getting past step 1 (sorry). I
think this is the right algorithm to use to tell if an OP supports SSL,
and if so, to use it:
(1) If a user gives a protocol-less identifier, say foo.example.org,
assume it's <a class="moz-txt-link-freetext" href="http://foo.example.org">http://foo.example.org</a>.
(2) Given <a class="moz-txt-link-freetext" href="http://foo.example.org">http://foo.example.org</a>, attempt an HTTP/1.1 connection and see
if you get upgraded to TLS.
(3) If no TLS, blindly remap to <a class="moz-txt-link-freetext" href="https://foo.example.org">https://foo.example.org</a> and attempt an
SSL connection.
(4) If both (2) and (3) fail, don't trust.
In particular, if you see a 302 redirect on step (2) to an <a class="moz-txt-link-freetext" href="https://">https://</a> URL,
ignore it (susceptible to man-in-the-middle attack).
And the above applies both to an OpenID URL itself and any URLs that
resource delegates to via <link>.
Does this sound correct? I don't like the extra connection attempts and
if someone says that nobody upgrades to TLS over http in the real world
I'd be fine skipping it, or inverting (2) and (3) perhaps, since the OPs
I know would be fine jumping straight to (3).
-John
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Pat Patterson - <a class="moz-txt-link-abbreviated" href="mailto:pat.patterson@sun.com">pat.patterson@sun.com</a>
Federation Architect,
Sun Microsystems, Inc.
<a class="moz-txt-link-freetext" href="http://blogs.sun.com/superpat">http://blogs.sun.com/superpat</a>
</pre>
</body>
</html>