that ess in 'https'
drecordon at verisign.com
Tue Jun 27 23:27:38 UTC 2006
My concern with "try https first" is it adds another required fetch for each RP.
From: yadis-bounces at lists.danga.com on behalf of David Strauss
Sent: Tue 6/27/2006 3:00 PM
To: Martin Atkins
Cc: yadis at lists.danga.com
Subject: Re: that ess in 'https'
Martin Atkins wrote:
> David Strauss wrote:
> I think my favourite solution right now is to require relying parties to
> support SSL and then use the existing "canonicalization through
> redirection" feature of OpenID to solve this problem. The problem that
> doesn't address is where an identity provider starts off on cleartext
> and migrates to SSL, which admittedly I don't have a good answer to.
I don't like the redirection system because it still makes an insecure
hop. It would be more secure to try the https scheme first. I don't see
why people are resistant to this. The only restriction is that you can't
have different identities distinguished only by scheme.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the yadis