that ess in 'https'

Recordon, David drecordon at
Tue Jun 27 23:27:38 UTC 2006

My concern with "try https first" is it adds another required fetch for each RP.


From: yadis-bounces at on behalf of David Strauss
Sent: Tue 6/27/2006 3:00 PM
To: Martin Atkins
Cc: yadis at
Subject: Re: that ess in 'https'

Martin Atkins wrote:
> David Strauss wrote:
> I think my favourite solution right now is to require relying parties to
> support SSL and then use the existing "canonicalization through
> redirection" feature of OpenID to solve this problem. The problem that
> doesn't address is where an identity provider starts off on cleartext
> and migrates to SSL, which admittedly I don't have a good answer to.

I don't like the redirection system because it still makes an insecure
hop. It would be more secure to try the https scheme first. I don't see
why people are resistant to this. The only restriction is that you can't
have different identities distinguished only by scheme.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the yadis mailing list