<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>Re: that ess in 'https'</TITLE>
</HEAD>
<BODY>
<DIV id=idOWAReplyText98185 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>My concern with "try https
first" is it adds another required fetch for each RP.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>--David</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> yadis-bounces@lists.danga.com on behalf of
David Strauss<BR><B>Sent:</B> Tue 6/27/2006 3:00 PM<BR><B>To:</B> Martin
Atkins<BR><B>Cc:</B> yadis@lists.danga.com<BR><B>Subject:</B> Re: that ess in
'https'<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>Martin Atkins wrote:<BR>> David Strauss wrote:<BR>> I
think my favourite solution right now is to require relying parties to<BR>>
support SSL and then use the existing "canonicalization through<BR>>
redirection" feature of OpenID to solve this problem. The problem that<BR>>
doesn't address is where an identity provider starts off on cleartext<BR>>
and migrates to SSL, which admittedly I don't have a good answer to.<BR><BR>I
don't like the redirection system because it still makes an insecure<BR>hop. It
would be more secure to try the https scheme first. I don't see<BR>why people
are resistant to this. The only restriction is that you can't<BR>have different
identities distinguished only by scheme.<BR><BR></FONT></P></DIV>
</BODY>
</HTML>