Minutes From Meeting Today
Martin Atkins
mart at degeneration.co.uk
Sun Jun 25 13:50:32 UTC 2006
David Strauss wrote:
> Recordon, David wrote:
>
>>- Recommends SSL in certain areas
>
>
> My main concern is how the current spec treats
> http://getopenid.com/david and https://getopenid.com/david as different
> identities. While I understand how there *could* be exceptions, I think
> both should be treated the same so users can gracefully move to using
> SSL identity pages. I think the lack of SSL-signed identity pages is a
> major weakness in OpenID that allows spoofing to direct authentication
> to a rogue server.
>
I think a better goal would be to figure out a way that users can
securely migrate from one identity to another, since this comes up in
more cases than just SSL vs. cleartext HTTP. For example, if I'm using a
username.identityprovider.com URL and I want to migrate to
myowndomain.com, I currently have no way to prove that the two
identities are both me.
More information about the yadis
mailing list