<div dir="ltr">Gerald, you are correct in that the spec explicitly says that an https:// Identifier not be considered the same as an otherwise equivalent http:// Identifier by an RP. I don't know what all the reasons are for this, but I can think of a few (which I'll forbear listing unless you want to see them). <br>
I agree the migration path is really bumpy. The spec being what it is, the only way to do this is for each and every RP to provide a way for its user to login using the old http:// URL, and associate a second OpenID to their same account (the one that uses https://). Then the OPs should offer an auto-redirect <i>option</i> for their users so that when the users are comfortable that they're using their https:// Identifier at all the RPs they log into, the OP will from that point on (for just that user) redirect http:// to https:// automatically for them to help them stay with their more secure identity.<br>
It should be noted though that even with this, http:// is still the first request by the RP if the user doesn't explicitly specify https:// in the Identifier box, and therefore subject to a DNS poisoning attack whenever https:// is not given.<br>
<br><div class="gmail_quote">On Mon, Aug 11, 2008 at 12:44 PM, Gerald Beuchelt <span dir="ltr"><<a href="mailto:beuchelt@sun.com">beuchelt@sun.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
In light of the recent security issues, we have decided to <a href="http://blog.beuchelt.org/2008/08/11/Securing+OpenIDWork+Again.aspx" target="_blank">improve
the security</a> of our OpenID@Work service/experiment. <br>
<br>
In a nutshell, we would like to require all users to use <a>https://</a>
prefixed OpenID identifier, so that RPs normalize and discover over
HTTPS, instead of HTTP. The obvious issue is that -- to my knowledge --
<a href="https://openid.sun.com/user" target="_blank">https://openid.sun.com/user</a> != <a href="http://openid.sun.com/user" target="_blank">http://openid.sun.com/user</a>. At this
point I see an opportunity for the OpenID community to address some of
the recent vulnerabilities: if RPs started to recognize both <a>https://</a>
and <a>http://</a> prefixed identifiers as the same entity, or at least
allowed easy linking, users could migrate with a lot more ease. <br>
<br>
This would be less than a mandate for SSL, but make migration a lot
less painful... Your thoughts?<br>
<br>
Gerald Beuchelt<br>
Sun Microsystems, Inc. <br>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br></div>