<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><BR><DIV><DIV>On Sep 14, 2007, at 16:00, John Panzer wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"> Johannes Ernst wrote: <BLOCKQUOTE cite="midC4650EDC-228E-4F99-A473-79E4E8527353@netmesh.us" type="cite">I'm one of the guys who actually maintains an ACL (Access Control List) based on OpenID identities. The process works like this: <BR> - Customer: hey, I'd like access to your website <BR> - Me: sure, send me your OpenID <BR> - Customer: foo.bar.com <BR> - Me: adding <A class="moz-txt-link-freetext" href="http://foo.bar.com/">http://foo.bar.com/</A> to the ACL <BR> - Customer: hey, I tried but it doesn't work <BR> - Me (diagnosing): that's because you entered '<A class="moz-txt-link-freetext" href="https://foo.bar.com/">https://foo.bar.com/</A>' and not '<A class="moz-txt-link-freetext" href="http://foo.bar.com/">http://foo.bar.com/</A>". <BR> <BR> This happens in a surprisingly large number of cases. <BR> <BR> No user seems to put any significance into the http vs. https as part of their identifier; even the people who do have the technical understanding to distinguish the two tend to fail understanding that within this community, we treat them as different identities. <BR> </BLOCKQUOTE> I think that treating these as different identities would be a fairly major potential impersonation security problem.<BR></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>Exactly my point. This should be part of the spec.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Editors, anybody?</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR><BLOCKQUOTE type="cite"> <BLOCKQUOTE cite="midC4650EDC-228E-4F99-A473-79E4E8527353@netmesh.us" type="cite"><BR> I'd like to revisit this issue, as actual user behavior as I'm seeing it tends to conflict with the assumptions we made when defining these are two different identities. Specifically, I'd like the spec to say: <BR> <BR> "Identifiers distinguished only by the 'http' vs. 'https' in the protocol part of the URL (e.g. '<A class="moz-txt-link-freetext" href="https://foo.bar.com/">https://foo.bar.com/</A>' vs '<A class="moz-txt-link-freetext" href="http://foo.bar.com/">http://foo.bar.com/</A>") refer to the same identity. Conforming implementations must ensure that attackers cannot use an identifier distinguished only by the protocol to impersonate a victim." <BR> <BR> <BR> <BR> <BR> <BR> <BR> Johannes Ernst <BR> NetMesh Inc. <BR> <BR> <BR> <BR> <HR size="4" width="90%"><BR> <CENTER><SPAN><DIV><mime-attachment.gif></DIV></SPAN></CENTER><P><BR> </P> <HR size="4" width="90%"><BR> <CENTER><SPAN><DIV><mime-attachment.gif></DIV></SPAN></CENTER><P> <A class="moz-txt-link-freetext" href="http://netmesh.info/jernst">http://netmesh.info/jernst</A> <BR> <BR> </P> <PRE wrap=""><HR size="4" width="90%">_______________________________________________
general mailing list
<A class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</A>
<A class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</A>
</PRE></BLOCKQUOTE> <BR> <SPAN><DIV><mime-attachment.gif></DIV></SPAN><SPAN><DIV><mime-attachment.gif></DIV></SPAN><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">_______________________________________________</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">general mailing list</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="mailto:general@openid.net">general@openid.net</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</A></DIV> </BLOCKQUOTE></DIV><BR></BODY></HTML>