Minutes From Meeting Today

[David Strauss]

Martin Atkins wrote:
> Andrew Wallace wrote:
>>>
>>> I think a better goal would be to figure out a way that users can
>>> securely migrate from one identity to another, since this comes up in
>>> more cases than just SSL vs. cleartext HTTP. For example, if I'm
>>> using a username.identityprovider.com URL and I want to migrate to
>>> myowndomain.com, I currently have no way to prove that the two
>>> identities are both me.
>>
>>
>> While I appreciate the need for general solution, I think there is an
>> argument for special casing the http/https case.  The visual
>> difference is
>> negligible, and (I suspect) for most users it's semantically meaningless.
>> The user expectation, valid or not, is likely to be that the two forms
>> refer
>> to the same entity.
>>
> 
> How many sites genuinely offer identical content on both their plain and
> SSL websites? My experience says not many. In general, the SSL bit just
> contains the stuff that needs to be over SSL, and the plain bit
> specifically *doesn't* contain that stuff.
> 
> Considering the two to be identical is ridiculous, both because no spec
> makes no guarantee that the two will be identical and because in
> practice they are almost always different.
> 
> Therefore we're going to need a way for a particular server to indicate
> "Hey, although usually the SSL and the cleartext bits aren't the same,
> in this case they are!". Perhaps that solution can also be applied to
> tying together separate identities, or maybe not. Either way, I'd rather
> see it explicitly declared than just assumed.

It doesn't matter what the general case for http versus https content
is. Show me even *one* OpenID server that doesn't serve the same
identity pages over both schemes.

David Strauss
Four Kitchen Studios
GetOpenID.com