Minutes From Meeting Today

[David Strauss]

Martin Atkins wrote:
> David Strauss wrote:
>> Recordon, David wrote:
>>
>>> - Recommends SSL in certain areas
>>
>>
>> My main concern is how the current spec treats
>> http://getopenid.com/david and https://getopenid.com/david as different
>> identities. While I understand how there *could* be exceptions, I think
>> both should be treated the same so users can gracefully move to using
>> SSL identity pages. I think the lack of SSL-signed identity pages is a
>> major weakness in OpenID that allows spoofing to direct authentication
>> to a rogue server.
>>
> 
> I think a better goal would be to figure out a way that users can
> securely migrate from one identity to another, since this comes up in
> more cases than just SSL vs. cleartext HTTP. For example, if I'm using a
> username.identityprovider.com URL and I want to migrate to
> myowndomain.com, I currently have no way to prove that the two
> identities are both me.

That is completely true.

To make this simple and automatic, Consumer sites could migrate the raw
OpenID URLs to delegated ones, possibly with the user's confirmation.
After all, the delegation page includes the raw OpenID URL, and the
Consumer located the delegation page through the preferred OpenID URL.
This would allow a one-time migration from a hosted OpenID to a
delegated one. Delegated ones should be much more stable.

Would that solve the majority of the need without introducing
significant new UI? I'm trying to balance user need with both existing
implementations and the need to limit bloat in the UI. (I'd rather see a
system guess what the user wants to do -- with high accuracy -- and
confirm it than offer yet another configuration panel.)

But based on the tone of other responses I've gotten on here, I'd assume
many of the other people behind OpenID would rather leave it up to the
Consumer than prescribe behavior here.

David Strauss
Four Kitchen Studios, LLC
GetOpenID.com