Minutes From Meeting Today

[Martin Atkins]

Andrew Wallace wrote:
>>
>>I think a better goal would be to figure out a way that users can 
>>securely migrate from one identity to another, since this comes up in 
>>more cases than just SSL vs. cleartext HTTP. For example, if I'm using a 
>>username.identityprovider.com URL and I want to migrate to 
>>myowndomain.com, I currently have no way to prove that the two 
>>identities are both me.
> 
> 
> While I appreciate the need for general solution, I think there is an
> argument for special casing the http/https case.  The visual difference is
> negligible, and (I suspect) for most users it's semantically meaningless.
> The user expectation, valid or not, is likely to be that the two forms refer
> to the same entity.
> 

How many sites genuinely offer identical content on both their plain and 
SSL websites? My experience says not many. In general, the SSL bit just 
contains the stuff that needs to be over SSL, and the plain bit 
specifically *doesn't* contain that stuff.

Considering the two to be identical is ridiculous, both because no spec 
makes no guarantee that the two will be identical and because in 
practice they are almost always different.

Therefore we're going to need a way for a particular server to indicate 
"Hey, although usually the SSL and the cleartext bits aren't the same, 
in this case they are!". Perhaps that solution can also be applied to 
tying together separate identities, or maybe not. Either way, I'd rather 
see it explicitly declared than just assumed.