that ess in 'https'

David Strauss mailinglists at fourkitchens.com
Wed Jun 28 02:08:15 UTC 2006


Agreed. IdPs need not support SSL. Allowing people to delegate from
their blogs and homepages with $1.99/mo hosting pretty much makes
required SSL for identity pages impossible. (This is not to say RPs
can't voluntarily require it.)

Skipping up a level in the thread, the only practice I'd like to truly
standardize is that identical canonicalized URLs, scheme aside, must map
to the same identity (if they map to an identity at all). This differs
from Dag's proposal only in that URLs are also allowed to not exist or
map to no identity.

Adding this requirement would give RPs more freedom to choose a scheme
at their required security level. As far as I know, every existing IdP
is already compliant with this restriction.

Also, this restriction would be helpful for RPs that require https
identity pages. Because users generally enter their OpenIDs without a
scheme and there's currently no guarantee that changing the scheme keeps
the same identity, RPs that require https cannot safely prepend https://
without risking a connection to a different identity.

- David

Dag Arneson wrote:
> I guess it's not strictly necessary for IDPs to be required to serve
> https if they don't mind if their users cannot use their IDs for secure
> openid sites.
> 
> Recordon, David wrote:
>> I'd imagine LiveJournal would never be a compliant IdP then :-\  We
>> can't raise the bar too high for either an IdP or RP.  I don't mind as
>> much for IdPs, but still want it to be fairly simple.
>>  
>> --David
>>
>> ------------------------------------------------------------------------
>> *From:* yadis-bounces at lists.danga.com on behalf of Dag Arneson
>> *Sent:* Tue 6/27/2006 4:24 PM
>> *To:* yadis at lists.danga.com
>> *Cc:* Martin Atkins
>> *Subject:* Re: that ess in 'https'
>>
>> How about this scheme:
>>
>> Require IDPs to support serving both http and https ID URLs, with both
>> required to map to the same identity.  But relying parties can choose
>> which to support, so RPs that do sensitive things will only support
>> https URLs, while PhpBBs and similar applications can use the less
>> secure http URL.
>>
>>
>>
>>
> 



More information about the yadis mailing list