Hi Peter,<br><br>I (mostly) share your idealistic view of <a href="http://myopenid.com">myopenid.com</a>. I use it as a frame of reference often. However, I don't agree with all of their decisions (AX type URIs and non-https enforcement among them).<br>
<br>It seems to me that http<b>s</b>://<a href="http://homepw.myopenid.com/">homepw.myopenid.com/</a> results in <a href="http://myopenid.com">myopenid.com</a> referring to an HTTPS OP endpoint, and the <a href="http://homepw.myopenid.com/">http://homepw.myopenid.com/</a> referring to an HTTP OP endpoint. Fair enough. If you start your discovery securely it makes sense to continue with secure authentication. And if your discovery was insecure, well then the authentication isn't secure whether it uses HTTPS or not since the discovery could have been hijacked and authentication rerouted to another address. <br>
<br>Ideally, <a href="http://myopenid.com">myopenid.com</a> and all other OPs would redirect identity page requests that come in on HTTP to HTTPS so that all claimed identifiers and authentication would occur over HTTPS to provide higher security to users.<br>
<br>Regarding whether mere users have the choice of HTTPS being used for auth, they <i>may</i>. In your <a href="http://myopenid.com">myopenid.com</a> claimed id example the user has no control since <a href="http://myopenid.com">myopenid.com</a> hosts the claimed id page. However, if you take <a href="http://blog.nerdbank.net">http://blog.nerdbank.net</a>, which is one of my claimed identifiers which delegate to <a href="http://myopenid.com">myopenid.com</a> (and others via XRDS), since I am the one to write the delegation tags I get to decide whether to use an OP's HTTPS or HTTP endpoint. So yes, the user may have a choice about using a HTTP(S) OP endpoint, but they likely will not have that choice if they use an OP-hosted identity page.<br>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 4:51 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Yes SP=RP. Remind me to use RP only, here, and keep SP for OAUTH
(since OAUTH and openid seem to have a potential marriage ahead).</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I'm now logged into my classical OP site (<a href="http://homepw.myopenid.com" target="_blank">homepw.myopenid.com</a>).
I can't see how to control "my" metadata to allow "authentication"
only over https.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Should I infer in the movement that "really" OPs
decide whether the https-class openid they provision will or will not "authenticate"
over https – and not mere users?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">For me, myopenid OP is/was the "gold standard" of
openid OP implementations – an expression of the core use cases and the
movement's management/control goals in their most primitive form. If I
keep that belief, evidently users/subscribers are not "really"
supposed to deciding whether https must be used during authentication. RPs may
decide so. OPs may decide so. But users cannot.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> Andrew Arnott
[mailto:<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>] <br>
<b>Sent:</b> Thursday, January 01, 2009 3:27 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Eddy Nigg (StartCom Ltd.); OpenID List<div><div></div><div class="Wj3C7c"><br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations</div></div></span></p>
</div>
</div><div><div></div><div class="Wj3C7c">
<p> </p>
<p style="margin-bottom: 12pt;">SP? Do you mean RP?
SP is an acronym that applies to OAuth. OpenID uses RP and OP. I
assume by SP you mean RP here...<br>
<br>
The <a href="http://openid.net/specs/openid-authentication-2_0.html#security_considerations" target="_blank">OpenID
2.0 spec section 15</a> calls out several opt-in measures that an RP or OP can
take to increase security for the authentication process. But no, as has
been stated an RP is not obliged per (my reading of) the spec to require that
if discovery is done using HTTPS that authentication must also be done using
HTTPS.<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
</p>
<div>
<p>On Thu, Jan 1, 2009 at 4:07 PM, Peter Williams <<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>> wrote:</p>
<div>
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Is the SP right or wrong to
redirect to an http OP endpoint, given an https openid, in your understanding
of the spec (and what it means to be a conforming implementation)?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Though operating in openid1
legacy mode, neither SP not OP objected – probably because the spec does
call out for code to raise an exception – presumably because it isn't
one, formally.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Eddy Nigg (StartCom Ltd.)<br>
<b>Sent:</b> Thursday, January 01, 2009 3:00 PM<br>
<b>Cc:</b> OpenID List</span></p>
<div>
<p><span style="font-size: 10pt;"><br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations</span></p>
</div>
</div>
</div>
<p> </p>
<p> </p>
<div>
<div>
<p>On 01/02/2009 12:49 AM, Eric Norman: </p>
</div>
</div>
<div>
<div><pre>On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:</pre><pre> </pre><pre> </pre>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><pre>The openid 2 spec says in section 15 (a non-normative must, note):</pre><pre> </pre><pre>"In order to get protection from SSL, SSL must be used for all parts </pre>
<pre>of the interaction, including interaction with the end user through </pre><pre>the User-Agent."</pre><pre> </pre></blockquote>
<pre> </pre><pre>When I include "https:" in my OpenID, I'm saying that I</pre><pre>want protection by SSL, right?</pre><pre> </pre>
<p style="margin-bottom: 12pt;"><br>
Your OpenID is https:// then, it's not ncesseraly the same as http and the
other way around too. It has been many times already mentioned. <br>
<br>
</p>
<pre> </pre><pre>So if something elsewhere decides not to use SSL for</pre><pre>whatever reason, that would be incorrect behavior, right?</pre><pre> </pre>
<p style="margin-bottom: 12pt;"><br>
Correct. However an OP may return the claimed OpenID as https (there are for
example some OPs which don't do plain http, only https via redirect.<br>
<br>
</p>
<pre> </pre><pre>And let's not forget that the error message I quoted is</pre><pre>clearly inappropriate.</pre><pre> </pre><pre> </pre><pre> </pre>
<p style="margin-bottom: 12pt;"> </p>
<div>
<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td colspan="2" style="padding: 0in;">
<p>Regards </p>
</td>
</tr>
<tr>
<td colspan="2" style="padding: 0in;">
<p> </p>
</td>
</tr>
<tr>
<td style="padding: 0in;">
<p>Signer: </p>
</td>
<td style="padding: 0in;">
<p>Eddy Nigg, <a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a></p>
</td>
</tr>
<tr>
<td style="padding: 0in;">
<p>Jabber: </p>
</td>
<td style="padding: 0in;">
<p><a href="mailto:startcom@startcom.org" target="_blank">startcom@startcom.org</a></p>
</td>
</tr>
<tr>
<td style="padding: 0in;">
<p>Blog: </p>
</td>
<td style="padding: 0in;">
<p><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a></p>
</td>
</tr>
<tr>
<td style="padding: 0in;">
<p>Phone: </p>
</td>
<td style="padding: 0in;">
<p>+1.213.341.0390</p>
</td>
</tr>
<tr>
<td colspan="2" style="padding: 0in;">
<p> </p>
</td>
</tr>
</tbody></table>
</div>
<p> </p>
</div>
</div>
</div>
</div>
</div>
<p style="margin-bottom: 12pt;"><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a></p>
</div>
<p> </p>
</div></div></div>
</div>
</div>
</blockquote></div><br>