Minutes From Meeting Today
mart at degeneration.co.uk
Tue Jun 27 07:33:34 UTC 2006
David Strauss wrote:
> It doesn't matter what the general case for http versus https content
> is. Show me even *one* OpenID server that doesn't serve the same
> identity pages over both schemes.
LiveJournal: HTTP only. HTTPS goes to LiveJournal's payment site.
TypeKey: HTTPS only. Cleartext HTTP just goes to an error page.
Given that most SSL certificates apply to just one hostname, it seems
likely to me that identity providers are going to want to do things like:
Indeed, VeriSign's PIP is currently serving its SSL identity pages using
an invalid certificate because of this.
More information about the yadis