[security] HTTP and HTTPS URL issue (was RE: security)
Pete Rowley
prowley at redhat.com
Fri Oct 27 19:04:52 UTC 2006
Gabe Wachob wrote:
> Now, I'm confused.
>
> HTTPS and HTTP URIs are different from each other because they are.
> Different schemes - go read RFC 3696, 2616, et al...
>
That's great n all, and then some folks thought it would be good to use
these things for something else :)
So, whatever scheme you use hardly matters since the identifier is
really rooted in the domain not the scheme - the scheme describes a
transport and really should be left to what it was designed for.
> BUT, if we treat them the same, then aren't we opening up a new security
> issue?
>
> If we treat them the same, then if I enter and HTTPS URI, that means a RP is
> free to use the HTTP URI?
>
> Surely we don't mean "same" - we mean that HTTP URIs are transformed into
> HTTPS URIs before being used for discovery via a simple transform -
> s/^http:/https:/ ?
>
>
I said the same for the purpose of identification /i.e./ the identifiers
are equivalent. It is then up to the RP/IdP to do the right thing. If
https can be used it should be /etc./
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/e67375f7/attachment-0002.bin>
More information about the security
mailing list