that ess in 'https'

Martin Atkins mart at
Wed Jun 28 18:22:35 UTC 2006

Dag Arneson wrote:
> How about this scheme:
> Require IDPs to support serving both http and https ID URLs, with both 
> required to map to the same identity.  But relying parties can choose 
> which to support, so RPs that do sensitive things will only support 
> https URLs, while PhpBBs and similar applications can use the less 
> secure http URL.

Under this proposal I would not be able to serve my own identity URL 
because I don't have an SSL certificate nor any desire to pay to get one.

Sure, I could use a self-signed certificate, but since relying parties 
generally do these requests non-interactively there's no opportunity to 
display the "Are you sure you trust this certificate? I can't validate 
it!" message that web browsers generally display in that case, so they'd 
probably just reject the connection outright.

More information about the yadis mailing list