<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Andrew - <br>
<br>
I agree with your more general approach--in fact, I would probably
even like RPs to allow association of a particular account with *any*
new OpenID identifier. But that would obviously put an even bigger
burden on the RPs, which is not necessarily something OpenID needs
right now...<br>
<br>
To require authentication with the old (<a class="moz-txt-link-freetext" href="http://">http://</a> based) OpenID,
prior to associating the new (<a class="moz-txt-link-freetext" href="https://">https://</a> based) identifier should
definitively be part of the 'upgrade' process. <br>
<br>
Best, <br>
<br>
Gerald<br>
<br>
Andrew Arnott wrote:
<blockquote
cite="mid:216e54900808111339g296f6453wab4d6b89d53c0848@mail.gmail.com"
type="cite">
<div dir="ltr">Gerald, you are correct in that the spec explicitly
says that an <a class="moz-txt-link-freetext" href="https://">https://</a> Identifier not be considered the same as an
otherwise equivalent <a class="moz-txt-link-freetext" href="http://">http://</a> Identifier by an RP. I don't know what
all the reasons are for this, but I can think of a few (which I'll
forbear listing unless you want to see them). <br>
I agree the migration path is really bumpy. The spec being what it is,
the only way to do this is for each and every RP to provide a way for
its user to login using the old <a class="moz-txt-link-freetext" href="http://">http://</a> URL, and associate a second
OpenID to their same account (the one that uses <a class="moz-txt-link-freetext" href="https://">https://</a>). Then the
OPs should offer an auto-redirect <i>option</i> for their users so
that when the users are comfortable that they're using their <a class="moz-txt-link-freetext" href="https://">https://</a>
Identifier at all the RPs they log into, the OP will from that point on
(for just that user) redirect <a class="moz-txt-link-freetext" href="http://">http://</a> to <a class="moz-txt-link-freetext" href="https://">https://</a> automatically for
them to help them stay with their more secure identity.<br>
It should be noted though that even with this, <a class="moz-txt-link-freetext" href="http://">http://</a> is still the
first request by the RP if the user doesn't explicitly specify <a class="moz-txt-link-freetext" href="https://">https://</a>
in the Identifier box, and therefore subject to a DNS poisoning attack
whenever <a class="moz-txt-link-freetext" href="https://">https://</a> is not given.<br>
<br>
</div>
</blockquote>
<br>
</body>
</html>