I didn't get the idea that Kleber wanted to avoid standard signature verification. Historically HTTPS OpenIDs caused problems for lesser RP implementations and it sounds like Kleber wants pure-HTTPS that won't cause these problems for RPs. <div>
<br></div><div>My answer for Kleber, if I'm right, is yes, pure-SSL is achievable by an OP without compromising RPs at this point. I can't think of any worthwhile RPs that haven't worked out all their SSL issues by this point.<br>
<div>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<div><span style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:13px;line-height:14px">We're hiring! My team at Microsoft has 7 open slots. <a href="http://bit.ly/dK7uPO" rel="nofollow" style="color:rgb(59, 89, 152);text-decoration:none" target="_blank">http://bit.ly/dK7uPO</a> <a href="http://bit.ly/hmSRh2" rel="nofollow" style="color:rgb(59, 89, 152);text-decoration:none" target="_blank">http://bit.ly/hmSRh2</a><a href="http://bit.ly/gMOqCi" rel="nofollow" style="color:rgb(59, 89, 152);text-decoration:none" target="_blank">http://bit.ly/gMOqCi</a> <a href="http://bit.ly/hr7zMY" rel="nofollow" style="color:rgb(59, 89, 152);text-decoration:none" target="_blank">http://bit.ly/hr7zMY</a></span></div>
<br>
<br><br><div class="gmail_quote">On Wed, Feb 9, 2011 at 5:58 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
All of the providers that support theUS ICAM profile have SSL endpoints available. Others probably do but there is no guarantee.<br>
<br>
The openID assertion is sent via redirect so it would not be safe to not validate the HMAC signature or perform direct validation.<br>
<br>
There will be an option for verifying asymmetric signatures in openID ABC.<br>
<br>
What is your reason for not doing an association and validating the signature that way?<br>
<br>
John B.<br>
<div><div></div><div class="h5"><br>
On 2011-02-09, at 10:46 AM, Kleber - Corujito wrote:<br>
<br>
> Is it possible to implement a Provider working (everything) with HTTPS?<br>
><br>
> I mean not just possible, but that normal RPs will be able to use it without problems in discovery, association or direct verification.<br>
><br>
> for example, a simple Java or PHP application/installation would be able to validate a ssl certificate?<br>
><br>
> Thanks<br>
</div></div>> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br></blockquote></div><br></div></div>