HTTPS Identities - How to run openid server properly?

Carl Howells chowells at janrain.com
Mon Sep 4 18:13:18 UTC 2006


Lukas Rosenstock wrote:
> Use http:// for the identity URLs and then declare first priority OpenID 
> server a https://-URL and for those who cannot cope with it another 
> http://-URL as the second priority OpenID server, the identity URL 
> itself is not the important part to be secure but the server is. 

That's not true at all.  If the identity URL isn't https, the relying 
party can't verify that it's actually connected to to the correct 
identity page to get identity information.  Without being certain of the 
identity information, you can't be certain of the rest, either.

That's why https identity urls are being discussed so much.

Carl


More information about the yadis mailing list