yadis Digest, Vol 14, Issue 1

Dan Lyke danlyke at flutterby.com
Thu Jun 1 14:32:40 UTC 2006 

On Wed, 31 May 2006 22:49:30 -0700, Chris Drake wrote:
> I'd recommend prepending https:// if the user's entering his url on an
> https:// web site.  Is there a way in the spec to "fall back" to a
> plain http:// one if the secure one fails?  I think security is
> important - we're handling peoples identities here.

I think I could make an argument either way on this one, so I'm going to  
argue the opposite from you just to make sure we have all of the issues on  
the table. So, the arguments for http as the default:

1. Remember that this is already public information, we're handing it out  
to a third party. The links contained within the Yadis document can point  
to https resources.

1.a. Counter: Might open things up to "man in the middle" attacks, I  
haven't looked carefully at how the various UserAgent libraries deal with  
verifying certificates or thought much about how many DNS machines would  
have to be compromised to make a reasonable attack. However, I remember  
doing this analysis with LID and thinking that the risks were acceptable.

2. If the https fails, then we'd have to roll back to the http web site.  
Since this is an operation that we're kind of hoping can be done in "user  
clicks submit and gets back next interaction" sort of time, that's an  
extra delay.

3. While I'm fine with paying a few bucks a year for domain registration,  
I balk at a few hundred a year to a certificate authority, so defaulting  
to https takes us that much further from user-owned identities.

I'm also quite happy to punt this particular issue off to the developers  
of Relying Parties and seeing what evolves, as I really don't think it's  
that critical to come up with a specific recommendation just yet. I'm just  
resisting in the case of the conformance test because that's there to help  
developers understand the protocol and where their use or implementation  
of it may deviate from the spec, not there to be friendly to the users.

There were a few times when I started to put something like this in, and  
then had to go remind myself that, no, the spec left that an open question  
and I couldn't resolve it

Dan

More information about the yadis mailing list