Minutes From Meeting Today

Recordon, David drecordon at verisign.com
Sat Jun 24 15:55:26 UTC 2006

This was something we discussed both days.  From the discussion on the
list, there are tradeoffs on both sides.

Treating them the same means that if your http:// identity is
compromised then so is your https:// one.  Ideally you're using https://
since it is more secure.

On the other hand, in terms of easing adoption and growth into the
future, treating them as the same identity is preferred.

I'm I missing any strong arguments on either side?


-----Original Message-----
From: yadis-bounces at lists.danga.com
[mailto:yadis-bounces at lists.danga.com] On Behalf Of David Strauss
Sent: Saturday, June 24, 2006 8:34 AM
To: yadis at lists.danga.com
Subject: Re: Minutes From Meeting Today

Recordon, David wrote:
> - Recommends SSL in certain areas

My main concern is how the current spec treats
http://getopenid.com/david and https://getopenid.com/david as different
identities. While I understand how there *could* be exceptions, I think
both should be treated the same so users can gracefully move to using
SSL identity pages. I think the lack of SSL-signed identity pages is a
major weakness in OpenID that allows spoofing to direct authentication
to a rogue server.

David Strauss
Four Kitchen Studios, LLC

More information about the yadis mailing list