[security] HTTP and HTTPS URL issue (was RE: security)

[Joaquin Miller]

>the legitimate user may well accidentally sign in with the 
>compromised identity


I might be missing something here.

(I'm neither stating nor implying any opinion in this message.
  Just trying to understand.)

We seem to be determined to
   -- allow entry of an identity URL without the scheme and
   -- distinguish an identity URL in http from
         an otherwise-the-same identity URL in https
   -- set up a way for this to work transparently for the user

Thereby, we are (let's not deny it)
   encouraging folks to enter their identity URL without the scheme,
   regardless of the scheme.

So:
Please correct me if i am wrong:

Our legitimate user did not
      accidentally
sign in with the compromised identity URL;

she simply behaved as we have encouraged her to behave.

Cordially, Joaquin

--- complete paragraph from original message ---
>Notice that the resulting URL is different in the latter case. The 
>attacker must compromise somewhereelse.com in order to "steal" that 
>identifier. It sucks that example.com has been compromised, but that 
>isn't the identifier that all RPs know the legitimate user as 
>anyway.  The worst that can happen as far as mistaken identity goes 
>is if the compromise is persistent, the legitimate user may well 
>accidentally sign in with the compromised identity expecting the 
>redirect to happen, which isn't as bad as a loss of the user's 
>primary identifier.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/77ab3f7e/attachment-0002.htm>