that ess in 'https'
josh at janrain.com
Tue Jun 27 22:20:01 UTC 2006
On 6/27/06, David Strauss <mailinglists at fourkitchens.com> wrote:
> Martin Atkins wrote:
> > I think the main thing that's bothering me about this assumption that
> > HTTPS and HTTP are the same is that it's making some arbitrary decision
> > that we can trust these URLs as the same as long as the hostname and
> > path are the same, regardless of scheme.
> It's not arbitrary. It's a whole different protocol layer below HTTP.
> Should we distinguish OpenIDs by whether the identity page traveled over
> IPv4 or IPv6? It's the same basic thing.
It's not the same basic thing. Given a SSL certificate signed by a
trusted authority, using SSL adds protection against DNS spoofing and
man-in-the-middle attacks. If otherwise identical http and https URLs
are considered the same identifier, that protection goes away,
regardless of which URL a user chooses to use or the protocol prefers.
Calling http and https URLs equal weakens the strength of the
assertions that OpenID is *able* to make.
More information about the yadis