Eric,<br><br>I think you missed Martin's point. If an RP considered <a href="http://me">http://me</a> and <a href="https://me">https://me</a> to be the same identity, then although I log myself in as <a href="https://me">https://me</a> for security, someone else could log into that RP and spoof my identity simply by DNS poisoning the RP and then logging in as <a href="http://me">http://me</a>. <br>
<br>Because RPs consider http and https URLs that are otherwise identical to be different identities, then by myself signing in with <a href="https://me">https://me</a>, someone who compromises an RPs DNS server and logs in as <a href="http://me">http://me</a> won't be able to spoof my identity worth anything.<br>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 6:59 PM, Eric Norman <span dir="ltr"><<a href="mailto:ejnorman@doit.wisc.edu">ejnorman@doit.wisc.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
On Jan 1, 2009, at 7:49 PM, Martin Atkins wrote:<br>
<br>
> Eric Norman wrote:<br>
>> On Jan 1, 2009, at 6:40 PM, Martin Atkins wrote:<br>
>><br>
>>> OpenID really needs a way to migrate from one identifier to another<br>
>>> without breaking the connection to existing accounts.<br>
>><br>
>> If RPs do indeed include the "http(s)://" as part of their<br>
>> account identifiers, then yep, there's a migration problem.<br>
>><br>
>> In any case, I suggest that y'all rethink the notion that<br>
>> URLs that only differ by that "s" can represent different<br>
>> entities. I note that the above statement about what<br>
>> OpenID needs makes an implicit assumption that such URLs<br>
>> would represent the same entity.<br>
>><br>
><br>
> Two URLs that differ only in that the scheme is https vs. http *must*<br>
> be<br>
> considered to be different, otherwise any security benefits offered by<br>
> using https are rendered ineffective. (You could just compromise the<br>
> non-SSL version, ignoring the SSL version.)<br>
<br>
</div>Of course they're different. You can tell that just<br>
by looking at them. The point is that that doesn't<br>
mean that they have to represent (identify) different<br>
entities. Math geek language: there are mappings that<br>
aren't injective (one-to-one).<br>
<font color="#888888"><br>
Eric Norman<br>
</font><div><div></div><div class="Wj3C7c"><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>