Minutes From Meeting Today

Martin Atkins mart at degeneration.co.uk
Sun Jun 25 13:50:32 UTC 2006


David Strauss wrote:
> Recordon, David wrote:
> 
>>- Recommends SSL in certain areas
> 
> 
> My main concern is how the current spec treats
> http://getopenid.com/david and https://getopenid.com/david as different
> identities. While I understand how there *could* be exceptions, I think
> both should be treated the same so users can gracefully move to using
> SSL identity pages. I think the lack of SSL-signed identity pages is a
> major weakness in OpenID that allows spoofing to direct authentication
> to a rogue server.
> 

I think a better goal would be to figure out a way that users can 
securely migrate from one identity to another, since this comes up in 
more cases than just SSL vs. cleartext HTTP. For example, if I'm using a 
username.identityprovider.com URL and I want to migrate to 
myowndomain.com, I currently have no way to prove that the two 
identities are both me.



More information about the yadis mailing list