Minutes From Meeting Today

Martin Atkins mart at degeneration.co.uk
Tue Jun 27 07:33:34 UTC 2006


David Strauss wrote:
> 
> It doesn't matter what the general case for http versus https content
> is. Show me even *one* OpenID server that doesn't serve the same
> identity pages over both schemes.
> 

LiveJournal: HTTP only. HTTPS goes to LiveJournal's payment site.
TypeKey: HTTPS only. Cleartext HTTP just goes to an error page.

Given that most SSL certificates apply to just one hostname, it seems 
likely to me that identity providers are going to want to do things like:
http://username.domain.com/
https://domain.com/username

Indeed, VeriSign's PIP is currently serving its SSL identity pages using 
an invalid certificate because of this.



More information about the yadis mailing list