Minutes From Meeting Today
drecordon at verisign.com
Sat Jun 24 15:55:26 UTC 2006
This was something we discussed both days. From the discussion on the
list, there are tradeoffs on both sides.
Treating them the same means that if your http:// identity is
compromised then so is your https:// one. Ideally you're using https://
since it is more secure.
On the other hand, in terms of easing adoption and growth into the
future, treating them as the same identity is preferred.
I'm I missing any strong arguments on either side?
From: yadis-bounces at lists.danga.com
[mailto:yadis-bounces at lists.danga.com] On Behalf Of David Strauss
Sent: Saturday, June 24, 2006 8:34 AM
To: yadis at lists.danga.com
Subject: Re: Minutes From Meeting Today
Recordon, David wrote:
> - Recommends SSL in certain areas
My main concern is how the current spec treats
http://getopenid.com/david and https://getopenid.com/david as different
identities. While I understand how there *could* be exceptions, I think
both should be treated the same so users can gracefully move to using
SSL identity pages. I think the lack of SSL-signed identity pages is a
major weakness in OpenID that allows spoofing to direct authentication
to a rogue server.
Four Kitchen Studios, LLC
More information about the yadis