About http/https: different or the same identity:

Wieringa, Helmer (RBI-NL) Helmer.Wieringa at reedbusiness.nl
Wed Jun 28 13:44:19 UTC 2006


What is indeed against deciding to make the use of the secure protocol
just mandatory for identity management messaging? Pro: decreasing
security risks and no identity crises; we do not want complexity -
Helmer 


-----Oorspronkelijk bericht-----
Van: yadis-bounces at lists.danga.com
[mailto:yadis-bounces at lists.danga.com] Namens
yadis-request at lists.danga.com
Verzonden: woensdag 28 juni 2006 14:00
Aan: yadis at lists.danga.com
Onderwerp: [SPAM-BA] - yadis Digest, Vol 14, Issue 23 - Bayesian Filter
detected spam

Send yadis mailing list submissions to
	yadis at lists.danga.com

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.danga.com/mailman/listinfo/yadis
or, via email, send a message with subject or body 'help' to
	yadis-request at lists.danga.com

You can reach the person managing the list at
	yadis-owner at lists.danga.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of yadis digest..."


Today's Topics:

   1. RE: that ess in 'https' (Recordon, David)
   2. RE: that ess in 'https' (Recordon, David)
   3. Re: that ess in 'https' (Dag Arneson)
   4. Re: that ess in 'https' (David Strauss)
   5. Re: that ess in 'https' (David Strauss)


----------------------------------------------------------------------

Message: 1
Date: Tue, 27 Jun 2006 16:27:38 -0700
From: "Recordon, David" <drecordon at verisign.com>
Subject: RE: that ess in 'https'
To: "David Strauss" <mailinglists at fourkitchens.com>,	"Martin Atkins"
	<mart at degeneration.co.uk>
Cc: yadis at lists.danga.com
Message-ID:
	
<8A1A6155AA70064EBE4DC370E709147B91A341 at MOU1WNEXMB11.vcorp.ad.vrsn.com>
	
Content-Type: text/plain; charset="iso-8859-1"

My concern with "try https first" is it adds another required fetch for
each RP.
 
--David

________________________________

From: yadis-bounces at lists.danga.com on behalf of David Strauss
Sent: Tue 6/27/2006 3:00 PM
To: Martin Atkins
Cc: yadis at lists.danga.com
Subject: Re: that ess in 'https'



Martin Atkins wrote:
> David Strauss wrote:
> I think my favourite solution right now is to require relying parties
to
> support SSL and then use the existing "canonicalization through
> redirection" feature of OpenID to solve this problem. The problem that
> doesn't address is where an identity provider starts off on cleartext
> and migrates to SSL, which admittedly I don't have a good answer to.

I don't like the redirection system because it still makes an insecure
hop. It would be more secure to try the https scheme first. I don't see
why people are resistant to this. The only restriction is that you can't
have different identities distinguished only by scheme.



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.danga.com/pipermail/yadis/attachments/20060627/95004fc4/att
achment.html

------------------------------

Message: 2
Date: Tue, 27 Jun 2006 16:29:30 -0700
From: "Recordon, David" <drecordon at verisign.com>
Subject: RE: that ess in 'https'
To: "Dag Arneson" <dag at janrain.com>, <yadis at lists.danga.com>
Cc: Martin Atkins <mart at degeneration.co.uk>
Message-ID:
	
<8A1A6155AA70064EBE4DC370E709147B91A342 at MOU1WNEXMB11.vcorp.ad.vrsn.com>
	
Content-Type: text/plain; charset="iso-8859-1"

I'd imagine LiveJournal would never be a compliant IdP then :-\  We
can't raise the bar too high for either an IdP or RP.  I don't mind as
much for IdPs, but still want it to be fairly simple.
 
--David

________________________________

From: yadis-bounces at lists.danga.com on behalf of Dag Arneson
Sent: Tue 6/27/2006 4:24 PM
To: yadis at lists.danga.com
Cc: Martin Atkins
Subject: Re: that ess in 'https'



How about this scheme:

Require IDPs to support serving both http and https ID URLs, with both
required to map to the same identity.  But relying parties can choose
which to support, so RPs that do sensitive things will only support
https URLs, while PhpBBs and similar applications can use the less
secure http URL.






-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.danga.com/pipermail/yadis/attachments/20060627/476d6f2c/att
achment.htm

------------------------------

Message: 3
Date: Tue, 27 Jun 2006 16:41:23 -0700
From: Dag Arneson <dag at janrain.com>
Subject: Re: that ess in 'https'
To: "Recordon, David" <drecordon at verisign.com>
Cc: yadis at lists.danga.com
Message-ID: <44A1C223.9040909 at janrain.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I guess it's not strictly necessary for IDPs to be required to serve 
https if they don't mind if their users cannot use their IDs for secure 
openid sites.

Recordon, David wrote:
> I'd imagine LiveJournal would never be a compliant IdP then :-\  We 
> can't raise the bar too high for either an IdP or RP.  I don't mind as

> much for IdPs, but still want it to be fairly simple.
>  
> --David
> 
>
------------------------------------------------------------------------
> *From:* yadis-bounces at lists.danga.com on behalf of Dag Arneson
> *Sent:* Tue 6/27/2006 4:24 PM
> *To:* yadis at lists.danga.com
> *Cc:* Martin Atkins
> *Subject:* Re: that ess in 'https'
> 
> How about this scheme:
> 
> Require IDPs to support serving both http and https ID URLs, with both
> required to map to the same identity.  But relying parties can choose
> which to support, so RPs that do sensitive things will only support
> https URLs, while PhpBBs and similar applications can use the less
> secure http URL.
> 
> 
> 
> 



------------------------------

Message: 4
Date: Tue, 27 Jun 2006 20:52:11 -0500
From: David Strauss <mailinglists at fourkitchens.com>
Subject: Re: that ess in 'https'
To: "Recordon, David" <drecordon at verisign.com>
Cc: Martin Atkins <mart at degeneration.co.uk>, yadis at lists.danga.com
Message-ID: <44A1E0CB.1060402 at fourkitchens.com>
Content-Type: text/plain; charset=UTF-8

1. If the https page exists, it's only one fetch.
2. The http redirect you suggest would result in two fetches for the
https case (granted, they'd be more automated because of the redirect)
and only one for the http case. This would optimize for the http case,
which I hope isn't the common one. We should "make the common case
fast," as the CS design rule goes.
3. Fetching http first allows an easier compromise of the system: all
the attacker needs to do is forge the http page so there's no redirect.
The "fetching https first" method would require blocking the https fetch
and forging the http page to be compromised. Granted, it's not much
harder.
4. The "fetch https first" method wouldn't break existing RPs. In fact,
I'd approach the method as a recommended practice more than a
requirement.
5. A redirect to the https page would break RPs that can't fetch https
pages. This may not be a problem if we begin requiring RPs to have
https-fetching capability.

- David

Recordon, David wrote:
> My concern with "try https first" is it adds another required fetch
for each RP.
>  
> --David
> 
> ________________________________
> 
> From: yadis-bounces at lists.danga.com on behalf of David Strauss
> Sent: Tue 6/27/2006 3:00 PM
> To: Martin Atkins
> Cc: yadis at lists.danga.com
> Subject: Re: that ess in 'https'
> 
> 
> 
> Martin Atkins wrote:
>> David Strauss wrote:
>> I think my favourite solution right now is to require relying parties
to
>> support SSL and then use the existing "canonicalization through
>> redirection" feature of OpenID to solve this problem. The problem
that
>> doesn't address is where an identity provider starts off on cleartext
>> and migrates to SSL, which admittedly I don't have a good answer to.
> 
> I don't like the redirection system because it still makes an insecure
> hop. It would be more secure to try the https scheme first. I don't
see
> why people are resistant to this. The only restriction is that you
can't
> have different identities distinguished only by scheme.
> 
> 
> 
> 



------------------------------

Message: 5
Date: Tue, 27 Jun 2006 21:08:15 -0500
From: David Strauss <mailinglists at fourkitchens.com>
Subject: Re: that ess in 'https'
To: Dag Arneson <dag at janrain.com>
Cc: yadis at lists.danga.com
Message-ID: <44A1E48F.3050809 at fourkitchens.com>
Content-Type: text/plain; charset=UTF-8

Agreed. IdPs need not support SSL. Allowing people to delegate from
their blogs and homepages with $1.99/mo hosting pretty much makes
required SSL for identity pages impossible. (This is not to say RPs
can't voluntarily require it.)

Skipping up a level in the thread, the only practice I'd like to truly
standardize is that identical canonicalized URLs, scheme aside, must map
to the same identity (if they map to an identity at all). This differs
from Dag's proposal only in that URLs are also allowed to not exist or
map to no identity.

Adding this requirement would give RPs more freedom to choose a scheme
at their required security level. As far as I know, every existing IdP
is already compliant with this restriction.

Also, this restriction would be helpful for RPs that require https
identity pages. Because users generally enter their OpenIDs without a
scheme and there's currently no guarantee that changing the scheme keeps
the same identity, RPs that require https cannot safely prepend https://
without risking a connection to a different identity.

- David

Dag Arneson wrote:
> I guess it's not strictly necessary for IDPs to be required to serve
> https if they don't mind if their users cannot use their IDs for
secure
> openid sites.
> 
> Recordon, David wrote:
>> I'd imagine LiveJournal would never be a compliant IdP then :-\  We
>> can't raise the bar too high for either an IdP or RP.  I don't mind
as
>> much for IdPs, but still want it to be fairly simple.
>>  
>> --David
>>
>>
------------------------------------------------------------------------
>> *From:* yadis-bounces at lists.danga.com on behalf of Dag Arneson
>> *Sent:* Tue 6/27/2006 4:24 PM
>> *To:* yadis at lists.danga.com
>> *Cc:* Martin Atkins
>> *Subject:* Re: that ess in 'https'
>>
>> How about this scheme:
>>
>> Require IDPs to support serving both http and https ID URLs, with
both
>> required to map to the same identity.  But relying parties can choose
>> which to support, so RPs that do sensitive things will only support
>> https URLs, while PhpBBs and similar applications can use the less
>> secure http URL.
>>
>>
>>
>>
> 



------------------------------

_______________________________________________
yadis mailing list
yadis at lists.danga.com
http://lists.danga.com/mailman/listinfo/yadis


End of yadis Digest, Vol 14, Issue 23
*************************************


More information about the yadis mailing list