Minutes From Meeting Today

Andrew Wallace andrwal at gmail.com
Mon Jun 26 18:41:55 UTC 2006


>Date: Sun, 25 Jun 2006 14:50:32 +0100
>From: Martin Atkins <mart at degeneration.co.uk>
>Subject: Re: Minutes From Meeting Today
>To: yadis at lists.danga.com
>Message-ID: <e7m465$ho9$1 at sea.gmane.org>
>Content-Type: text/plain; charset=UTF-8; format=flowed

>David Strauss wrote:
>> Recordon, David wrote:
>> 
>>>- Recommends SSL in certain areas
>> 
>> 
>> My main concern is how the current spec treats
>> http://getopenid.com/david and https://getopenid.com/david as different
>> identities. While I understand how there *could* be exceptions, I think
>> both should be treated the same so users can gracefully move to using
>> SSL identity pages. I think the lack of SSL-signed identity pages is a
>> major weakness in OpenID that allows spoofing to direct authentication
>> to a rogue server.
>> 
>
>I think a better goal would be to figure out a way that users can 
>securely migrate from one identity to another, since this comes up in 
>more cases than just SSL vs. cleartext HTTP. For example, if I'm using a 
>username.identityprovider.com URL and I want to migrate to 
>myowndomain.com, I currently have no way to prove that the two 
>identities are both me.

While I appreciate the need for general solution, I think there is an
argument for special casing the http/https case.  The visual difference is
negligible, and (I suspect) for most users it's semantically meaningless.
The user expectation, valid or not, is likely to be that the two forms refer
to the same entity.

- Andrew Wallace


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.4/375 - Release Date: 6/25/2006
 



More information about the yadis mailing list