that ess in 'https'
Martin Atkins
mart at degeneration.co.uk
Tue Jun 27 08:28:39 UTC 2006
Joaquin Miller wrote:
>
> But i thought our audience was
> the people who
> we would like to see
> use URLs to identify their personas.
>
That's very poetic.
However, "do it for the users!" is not a justification for producing a
flawed system, especially if that system is related to identity and
we're compromising on security.
I'm beginning to wonder exactly what the use case of SSL identity pages
is. The only thing identity pages are used for (as far as OpenID is
concerned) is finding the identity server URL, so I have to assume that
the use case in mind is to prevent "spoofing" of the identity URL to get
the consumer (relying party) to connect to the wrong place.
But if HTTP and HTTPS URLs are equivilent, surely I can just spoof the
HTTP version of your HTTPS URL and defeat the object entirely!
I also wonder whether SSL-supporting relying parties are actually doing
proper certificate checks for SSL identity URLs. If so, which
authorities should they trust? Should a relying party care if the
hostname on a certificate is wrong as it currently is for VeriSign's
PIP? Should a relying party check for certificate revocations? These
things should also be in the spec, really.
More information about the yadis
mailing list