that ess in 'https'

Martin Atkins mart at
Tue Jun 27 08:28:39 UTC 2006

Joaquin Miller wrote:
> But i thought our audience was
>   the people who
>      we would like to see
>          use URLs to identify their personas.

That's very poetic.

However, "do it for the users!" is not a justification for producing a 
flawed system, especially if that system is related to identity and 
we're compromising on security.

I'm beginning to wonder exactly what the use case of SSL identity pages 
is. The only thing identity pages are used for (as far as OpenID is 
concerned) is finding the identity server URL, so I have to assume that 
the use case in mind is to prevent "spoofing" of the identity URL to get 
the consumer (relying party) to connect to the wrong place.

But if HTTP and HTTPS URLs are equivilent, surely I can just spoof the 
HTTP version of your HTTPS URL and defeat the object entirely!

I also wonder whether SSL-supporting relying parties are actually doing 
proper certificate checks for SSL identity URLs. If so, which 
authorities should they trust? Should a relying party care if the 
hostname on a certificate is wrong as it currently is for VeriSign's 
PIP? Should a relying party check for certificate revocations? These 
things should also be in the spec, really.

More information about the yadis mailing list