Minutes From Meeting Today
mailinglists at fourkitchens.com
Tue Jun 27 09:36:53 UTC 2006
Martin Atkins wrote:
> David Strauss wrote:
>> It doesn't matter what the general case for http versus https content
>> is. Show me even *one* OpenID server that doesn't serve the same
>> identity pages over both schemes.
> LiveJournal: HTTP only. HTTPS goes to LiveJournal's payment site.
> TypeKey: HTTPS only. Cleartext HTTP just goes to an error page.
> Given that most SSL certificates apply to just one hostname, it seems
> likely to me that identity providers are going to want to do things like:
> Indeed, VeriSign's PIP is currently serving its SSL identity pages using
> an invalid certificate because of this.
I should have phrased my challenge more carefully because those aren't
really counterexamples to my proposal. What I should have said is "Show
me even *one* OpenID server that serves different identity pages at the
same URL (scheme aside)."
The sites you mention don't maintain different identities at http versus
https, one scheme just doesn't serve *any* identity page.
The only reason making them interchangeable (at some level) would be a
problem is if a server maintains different *identities* at the two
locations. Having no identity page at one or the other isn't a problem.
More information about the yadis