That sounds like a good solution.<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 6:59 PM, Peter Watkins <span dir="ltr"><<a href="mailto:peterw@tux.org">peterw@tux.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Thu, Jan 01, 2009 at 07:44:58PM -0600, Eric Norman wrote:<br>
<br>
> In any case, I suggest that y'all rethink the notion that<br>
> URLs that only differ by that "s" can represent different<br>
> entities. I note that the above statement about what<br>
> OpenID needs makes an implicit assumption that such URLs<br>
> would represent the same entity.<br>
<br>
</div>I think it would be fair to assume that an https idenitifier<br>
was equivalent to an http identifier (switching to https implies<br>
an improvement in the security of the assertion), but the same<br>
could NOT be said for someone presenting an http identifier.<br>
Once I've logged in with <a href="https://my.yahoo.com/" target="_blank">https://my.yahoo.com/</a>, I don't want<br>
an RP deciding that <a href="http://my.yahoo.com/" target="_blank">http://my.yahoo.com/</a> is "good enough".<br>
<br>
It would be nice if the next spec clarified this -- it would pave<br>
the way for OPs like AOL to upgrade the security of their service<br>
without hurting usability.<br>
<font color="#888888"><br>
-Peter<br>
</font><div><div></div><div class="Wj3C7c"><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>