<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">The thing is unless the RP unlinks the http version there is no increase in security.<div><br></div><div>A attacker just uses the insecure version connected to the account.</div><div><br></div><div>Guiding people to use the more secure version and removing the old is a challenge.</div><div><br></div><div>Something that I recommended OP's do a year ago was stop issuing http: uri for all new accounts have the URI normalized to https via redirect.</div><div><br></div><div>That at least stops the problem from getting bigger. At the moment the migration challenge gets bigger with each new user.</div><div><br></div><div>John B.<br><div><div>On 2009-09-17, at 1:31 PM, Chris Messina wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">One way to address this problem is for the RP to be smart and once a user has successfully authenticated against an HTTP URL, to detect whether an HTTPS OpenID endpoint exists at their provider and ask them to associate a "higher security" OpenID or something (obviously not the final language, flow, or user experience)... but the point being... we already see smart RPs allowing people to associate multiple identifiers with their account to ensure access in case one of their remote accounts goes down or is inaccessible... and simply because RPs want confirmed email addresses for spamming purposes (sigh, reality).<div>
<br></div><div>One approach for the interim could simply be for RPs to accept HTTP URLs to start and then to detect or simply "know" which OPs offer an SSL OpenID endpoint and again, offer to "link" the HTTPS account to their HTTP account.</div>
<div><br></div><div>In the future, it could be the case (perhaps), that the RP can do an "upgrade" to the scheme before initiating the OpenID redirect if they recognize what the user typed into the box...</div><div>
<br></div><div>Alternatively (and a less good UX) would be to have a checkbox beneath the OpenID button/entry field that says "Use a secure connection when available"...</div><div><br></div><div>Not great, but potential stopgap measures.</div>
<div><br></div><div>Chris</div><div><br><div><br><div class="gmail_quote">2009/9/17 John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">At some point we need to deal with this issue of step up authentication.<div><br></div><div>When a user with a http: URI turns up at a site with the https: scheme.</div><div><br></div><div>
RP's are expressly forbidden from treating them as equivalent by openID 2.0.</div><div><br></div><div>Finding a way to allow RPs to migrate users from http to https seems a reasonable goal.</div><div><br></div><div>Going the other way should be precluded.</div>
<div><br></div><div>The RP at the moment is required to normalize to http if the user is not explicit.</div><div><br></div><div>There are a bunch of things that are leading security to be lowest common denominator.</div><div>
<br></div><div>I am hoping that some of the things in the GSA profile will get people thinking about some of the issues.</div><div><br></div><div>John B.</div><div><br></div><div><br><div><div><div></div><div class="h5"><div>
On 2009-09-17, at 12:58 PM, Steven Livingstone P้rez wrote:</div><br></div></div><blockquote type="cite"><span style="border-collapse:separate;font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="font-size:10pt;font-family:Verdana">
<div><div></div><div class="h5">I recently had this issue and decided to drop http and use https exclusively.<br><br>Inconvenience for some but solves a lot of potential pain. In addition I allow 'linking' of other OpenID's so you can use others if you wish. On my site it is now all SSL.<br>
<br>BUT I'm not AOL and appreciate your pain given the pain I went through.<br><br>steven<br><a href="http://livz.org/" target="_blank">http://livz.org</a><br><br>> Date: Thu, 17 Sep 2009 11:52:19 -0400<br>> From:<span> </span><a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a><br>
> To:<span> </span><a href="mailto:peterw@tux.org" target="_blank">peterw@tux.org</a><br>> CC:<span> </span><a href="mailto:openid-general@lists.openid.net" target="_blank">openid-general@lists.openid.net</a><br>> Subject: Re: [OpenID] https discovery & login for AOL at long last?<br>
><span> </span><br>> Hi Peter,<br>><span> </span><br>> A couple of things:) We are working on supporting https identifiers and<span> </span><br>> from a directed-identity perspective, all pair-wise pseudonymous<span> </span><br>
> "OpenIDs" will be SSL. We are also working on resolving the SSL issue<span> </span><br>> for<span> </span><a href="http://openid.aol.com/" target="_blank">openid.aol.com</a>, so that you can use<span> </span><br>
><span> </span><a href="https://openid.aol.com/identifier" target="_blank">https://openid.aol.com/identifier</a><span> </span>as a valid OpenID. I can't promise any<span> </span><br>> time lines (normal big company stuff) but this is a goal of our ongoing<span> </span><br>
> OpenID work.<br>><span> </span><br>> We do have a "unique" problem (shared by a few other OPs) in that we<span> </span><br>> have active users using http based OpenIDs at Relying Parties across the<span> </span><br>
> web. So we can't move to SSL only OpenIDs without breaking those<span> </span><br>> customer's experience. I suspect that if you force all OpenIDs to be<span> </span><br>> SSL, then a user's interaction with your site will work just fine.<br>
><span> </span><br>> I have heard a couple reasonable suggestions (notably Breno from Google)<span> </span><br>> for helping to connect an https OpenID to an http one by leveraging the<span> </span><br>> OpenID XRDS file retrievable over SSL. There are currently no<span> </span><br>
> "standards" around this, but I believe it is worth exploring. However,<span> </span><br>> it would mean that RPs would need to do some extra work which is<span> </span><br>> questionable.<br>><span> </span><br>
> Again, I can't promise dates, but this is on our roadmap:)<br>><span> </span><br>> Thanks,<br>> George<br>><span> </span><br>><span> </span><br>> John Bradley wrote:<br>> > Expect positive news from AOL.<br>
> ><br>> > They have been working very hard behind the scenes.<br>> ><br>> > They have openID 2.0 RP support enabled on some of there sites.<br>> > They don't get proper credit for that.<br>
> ><br>> > I can confirm that they are in testing for the GSA pilot as a openID<span> </span><br>> > 2.0 OP.<br>> ><br>> > John B.<br>> > On 2009-09-16, at 5:27 PM, Peter Watkins wrote:<br>
> ><br>> >> Wired says that the US federal governmment will soon let people<br>> >> log in to government Web sites with OpenID identifiers from a select<br>> >> few RPs, including AOL<br>> >><span> </span><a href="http://www.wired.com/epicenter/2009/09/feds-embrace-openid/" target="_blank">http://www.wired.com/epicenter/2009/09/feds-embrace-openid/</a><br>
> >><br>> >> The Wired article implies that AOL has https-only authentication<span> </span><br>> >> enabled:<br>> >><br>> >> "These companies have undergone a certification process designed by the<br>
> >> Information Card Foundation, the OpenID Foundation and the federal<br>> >> government that guarantees certain privacy safeguards. For instance,<br>> >> the sites have to use SSL to handle logins"<br>
> >><br>> >> Does AOL finally have https-secured OpenID authentication? Perhaps with<br>> >> directed identity? The only way I know to use directed identity with AOL<br>> >> is via<span> </span><a href="http://openid.aol.com/" target="_blank">http://openid.aol.com/</a>. That server does have a certificate<span> </span><br>
> >> installed,<br>> >> but the cert is for<span> </span><a href="http://api.screenname.aol.com/" target="_blank">api.screenname.aol.com</a>, and<span> </span><br>> >><span> </span><a href="https://api.screenname.aol.com/" target="_blank">https://api.screenname.aol.com/</a><br>
> >> is not a valid URL for OpenID discovery.<br>> >><br>> >> Does this .gov news release herald a rebirth of AOL as an OpenID RP?<br>> >><br>> >> Thanks,<br>> >><br>> >> Peter<br>
> >><br>> >> _______________________________________________<br>> >> general mailing list<br>> >><span> </span><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
> >><span> </span><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>> ><br>> > _______________________________________________<br>
> > general mailing list<br>> ><span> </span><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>> ><span> </span><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
> ><br>><span> </span><br>> --<span> </span><br>> Chief Architect<br>> Identity Services, AOL<br>> Blog:<span> </span><a href="http://practicalid.blogspot.com/" target="_blank">http://practicalid.blogspot.com</a><br>
><span> </span><br>><span> </span><br>> _______________________________________________<br>> general mailing list<br>><span> </span><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
><span> </span><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br><br><hr></div></div>Ready for Fall shows? Use Bing to find helpful ratings and reviews on digital tv's.<span> </span><a href="http://www.bing.com/shopping/search?q=digital+tv" target="_blank">Click here.</a>_______________________________________________<div class="im">
<br>general mailing list<br><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</div></div></span></blockquote></div><br></div></div><br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate<br><br>Personal: <a href="http://factoryjoe.com/">http://factoryjoe.com</a><br>Follow me on Twitter: <a href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</a><br>
<br>Citizen Agency: <a href="http://citizenagency.com/">http://citizenagency.com</a><br>Diso Project: <a href="http://diso-project.org/">http://diso-project.org</a><br>OpenID Foundation: <a href="http://openid.net/">http://openid.net</a><br>
<br>This email is: [ ] bloggable [X] ask first [ ] private<br>
</div></div>
</blockquote></div><br></div></body></html>