<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Yes SP=RP. Remind me to use RP only, here, and keep SP for OAUTH
(since OAUTH and openid seem to have a potential marriage ahead).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’m now logged into my classical OP site (homepw.myopenid.com).
I can’t see how to control “my” metadata to allow “authentication”
only over https.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Should I infer in the movement that “really” OPs
decide whether the https-class openid they provision will or will not “authenticate”
over https – and not mere users?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>For me, myopenid OP is/was the “gold standard” of
openid OP implementations – an expression of the core use cases and the
movement’s management/control goals in their most primitive form. If I
keep that belief, evidently users/subscribers are not “really”
supposed to deciding whether https must be used during authentication. RPs may
decide so. OPs may decide so. But users cannot.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Thursday, January 01, 2009 3:27 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Eddy Nigg (StartCom Ltd.); OpenID List<br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>SP? Do you mean RP?
SP is an acronym that applies to OAuth. OpenID uses RP and OP. I
assume by SP you mean RP here...<br>
<br>
The <a
href="http://openid.net/specs/openid-authentication-2_0.html#security_considerations">OpenID
2.0 spec section 15</a> calls out several opt-in measures that an RP or OP can
take to increase security for the authentication process. But no, as has
been stated an RP is not obliged per (my reading of) the spec to require that
if discovery is done using HTTPS that authentication must also be done using
HTTPS.<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Jan 1, 2009 at 4:07 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Is the SP right or wrong to
redirect to an http OP endpoint, given an https openid, in your understanding
of the spec (and what it means to be a conforming implementation)?</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Though operating in openid1
legacy mode, neither SP not OP objected – probably because the spec does
call out for code to raise an exception – presumably because it isn't
one, formally.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid windowtext 1.5pt;padding:0in 0in 0in 4.0pt;
border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color blue'>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Eddy Nigg (StartCom Ltd.)<br>
<b>Sent:</b> Thursday, January 01, 2009 3:00 PM<br>
<b>Cc:</b> OpenID List<o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt'><br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations<o:p></o:p></span></p>
</div>
</div>
</div>
<p> <o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On 01/02/2009 12:49 AM, Eric Norman: <o:p></o:p></p>
</div>
</div>
<div>
<div><pre>On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>The openid 2 spec says in section 15 (a non-normative must, note):<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>"In order to get protection from SSL, SSL must be used for all parts <o:p></o:p></pre><pre>of the interaction, including interaction with the end user through <o:p></o:p></pre><pre>the User-Agent."<o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre> <o:p></o:p></pre><pre>When I include "https:" in my OpenID, I'm saying that I<o:p></o:p></pre><pre>want protection by SSL, right?<o:p></o:p></pre><pre> <o:p></o:p></pre>
<p style='margin-bottom:12.0pt'><br>
Your OpenID is https:// then, it's not ncesseraly the same as http and the
other way around too. It has been many times already mentioned. <br>
<br>
<o:p></o:p></p>
<pre> <o:p></o:p></pre><pre>So if something elsewhere decides not to use SSL for<o:p></o:p></pre><pre>whatever reason, that would be incorrect behavior, right?<o:p></o:p></pre><pre> <o:p></o:p></pre>
<p style='margin-bottom:12.0pt'><br>
Correct. However an OP may return the claimed OpenID as https (there are for
example some OPs which don't do plain http, only https via redirect.<br>
<br>
<o:p></o:p></p>
<pre> <o:p></o:p></pre><pre>And let's not forget that the error message I quoted is<o:p></o:p></pre><pre>clearly inappropriate.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre>
<p style='margin-bottom:12.0pt'> <o:p></o:p></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p>Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Signer: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p>Eddy Nigg, <a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Jabber: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p>startcom@startcom.org<o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Blog: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Phone: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p>+1.213.341.0390<o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p> <o:p></o:p></p>
</td>
</tr>
</table>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>