that ess in 'https'

Recordon, David drecordon at verisign.com
Tue Jun 27 23:27:38 UTC 2006


My concern with "try https first" is it adds another required fetch for each RP.
 
--David

________________________________

From: yadis-bounces at lists.danga.com on behalf of David Strauss
Sent: Tue 6/27/2006 3:00 PM
To: Martin Atkins
Cc: yadis at lists.danga.com
Subject: Re: that ess in 'https'



Martin Atkins wrote:
> David Strauss wrote:
> I think my favourite solution right now is to require relying parties to
> support SSL and then use the existing "canonicalization through
> redirection" feature of OpenID to solve this problem. The problem that
> doesn't address is where an identity provider starts off on cleartext
> and migrates to SSL, which admittedly I don't have a good answer to.

I don't like the redirection system because it still makes an insecure
hop. It would be more secure to try the https scheme first. I don't see
why people are resistant to this. The only restriction is that you can't
have different identities distinguished only by scheme.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20060627/95004fc4/attachment.htm


More information about the yadis mailing list