that ess in 'https'

Dag Arneson dag at janrain.com
Tue Jun 27 23:41:23 UTC 2006


I guess it's not strictly necessary for IDPs to be required to serve 
https if they don't mind if their users cannot use their IDs for secure 
openid sites.

Recordon, David wrote:
> I'd imagine LiveJournal would never be a compliant IdP then :-\  We 
> can't raise the bar too high for either an IdP or RP.  I don't mind as 
> much for IdPs, but still want it to be fairly simple.
>  
> --David
> 
> ------------------------------------------------------------------------
> *From:* yadis-bounces at lists.danga.com on behalf of Dag Arneson
> *Sent:* Tue 6/27/2006 4:24 PM
> *To:* yadis at lists.danga.com
> *Cc:* Martin Atkins
> *Subject:* Re: that ess in 'https'
> 
> How about this scheme:
> 
> Require IDPs to support serving both http and https ID URLs, with both
> required to map to the same identity.  But relying parties can choose
> which to support, so RPs that do sensitive things will only support
> https URLs, while PhpBBs and similar applications can use the less
> secure http URL.
> 
> 
> 
> 



More information about the yadis mailing list