SP? Do you mean RP? SP is an acronym that applies to OAuth. OpenID uses RP and OP. I assume by SP you mean RP here...<br><br>The <a href="http://openid.net/specs/openid-authentication-2_0.html#security_considerations">OpenID 2.0 spec section 15</a> calls out several opt-in measures that an RP or OP can take to increase security for the authentication process. But no, as has been stated an RP is not obliged per (my reading of) the spec to require that if discovery is done using HTTPS that authentication must also be done using HTTPS.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 4:07 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="white" link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Is the SP right or wrong to redirect to an http OP endpoint,
given an https openid, in your understanding of the spec (and what it means to
be a conforming implementation)?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Though operating in openid1 legacy mode, neither SP not OP objected
– probably because the spec does call out for code to raise an exception –
presumably because it isn't one, formally.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt; color: windowtext;">From:</span></b><span style="font-size: 10pt; color: windowtext;"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] <b>On Behalf Of </b>Eddy Nigg (StartCom
Ltd.)<br>
<b>Sent:</b> Thursday, January 01, 2009 3:00 PM<br>
<b>Cc:</b> OpenID List<div class="Ih2E3d"><br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations</div></span></p>
</div>
</div>
<p> </p>
<p><br></p><div><div></div><div class="Wj3C7c">
On 01/02/2009 12:49 AM, Eric Norman: </div></div><div><div></div><div class="Wj3C7c">
<pre>On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:</pre><pre> </pre><pre> </pre>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><pre>The openid 2 spec says in section 15 (a non-normative must, note):</pre><pre> </pre><pre>"In order to get protection from SSL, SSL must be used for all parts </pre>
<pre>of the interaction, including interaction with the end user through </pre><pre>the User-Agent."</pre><pre> </pre></blockquote>
<pre> </pre><pre>When I include "https:" in my OpenID, I'm saying that I</pre><pre>want protection by SSL, right?</pre><pre> </pre>
<p><br>
Your OpenID is <a>https://</a> then, it's not ncesseraly the
same as http and the other way around too. It has been many times already
mentioned. <br>
<br>
<br>
</p>
<pre> </pre><pre>So if something elsewhere decides not to use SSL for</pre><pre>whatever reason, that would be incorrect behavior, right?</pre><pre> </pre>
<p><br>
Correct. However an OP may return the claimed OpenID as https (there are for
example some OPs which don't do plain http, only https via redirect.<br>
<br>
<br>
</p>
<pre> </pre><pre>And let's not forget that the error message I quoted is</pre><pre>clearly inappropriate.</pre><pre> </pre><pre> </pre><pre> </pre>
<p style="margin-bottom: 12pt;"> </p>
<div>
<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td colspan="2" style="padding: 0in;">
<p>Regards </p>
</td>
</tr>
<tr>
<td colspan="2" style="padding: 0in;">
<p> </p>
</td>
</tr>
<tr>
<td style="padding: 0in;">
<p>Signer: </p>
</td>
<td style="padding: 0in;">
<p>Eddy Nigg, <a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a></p>
</td>
</tr>
<tr>
<td style="padding: 0in;">
<p>Jabber: </p>
</td>
<td style="padding: 0in;">
<p><a>startcom@startcom.org</a></p>
</td>
</tr>
<tr>
<td style="padding: 0in;">
<p>Blog: </p>
</td>
<td style="padding: 0in;">
<p><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a></p>
</td>
</tr>
<tr>
<td style="padding: 0in;">
<p>Phone: </p>
</td>
<td style="padding: 0in;">
<p>+1.213.341.0390</p>
</td>
</tr>
<tr>
<td colspan="2" style="padding: 0in;">
<p> </p>
</td>
</tr>
</tbody></table>
</div>
<p> </p>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>