HTTPS Identities - How to run openid server properly?
Carl Howells
chowells at janrain.com
Mon Sep 4 18:13:18 UTC 2006
Lukas Rosenstock wrote:
> Use http:// for the identity URLs and then declare first priority OpenID
> server a https://-URL and for those who cannot cope with it another
> http://-URL as the second priority OpenID server, the identity URL
> itself is not the important part to be secure but the server is.
That's not true at all. If the identity URL isn't https, the relying
party can't verify that it's actually connected to to the correct
identity page to get identity information. Without being certain of the
identity information, you can't be certain of the rest, either.
That's why https identity urls are being discussed so much.
Carl
More information about the yadis
mailing list