that ess in 'https'
Martin Atkins
mart at degeneration.co.uk
Wed Jun 28 18:22:35 UTC 2006
Dag Arneson wrote:
> How about this scheme:
>
> Require IDPs to support serving both http and https ID URLs, with both
> required to map to the same identity. But relying parties can choose
> which to support, so RPs that do sensitive things will only support
> https URLs, while PhpBBs and similar applications can use the less
> secure http URL.
>
Under this proposal I would not be able to serve my own identity URL
because I don't have an SSL certificate nor any desire to pay to get one.
Sure, I could use a self-signed certificate, but since relying parties
generally do these requests non-interactively there's no opportunity to
display the "Are you sure you trust this certificate? I can't validate
it!" message that web browsers generally display in that case, so they'd
probably just reject the connection outright.
More information about the yadis
mailing list