[OpenID] Reconsidering http://openid different from https://openid

[Johannes Ernst]

I'm one of the guys who actually maintains an ACL (Access Control  
List) based on OpenID identities. The process works like this:
  - Customer: hey, I'd like access to your website
  - Me: sure, send me your OpenID
  - Customer: foo.bar.com
  - Me: adding http://foo.bar.com/ to the ACL
  - Customer: hey, I tried but it doesn't work
  - Me (diagnosing): that's because you entered 'https:// 
foo.bar.com/' and not 'http://foo.bar.com/".

This happens in a surprisingly large number of cases.

No user seems to put any significance into the http vs. https as part  
of their identifier; even the people who do have the technical  
understanding to distinguish the two tend to fail understanding that  
within this community, we treat them as different identities.

I'd like to revisit this issue, as actual user behavior as I'm seeing  
it tends to conflict with the assumptions we made when defining these  
are two different identities. Specifically, I'd like the spec to say:

"Identifiers distinguished only by the 'http' vs. 'https' in the  
protocol part of the URL (e.g. 'https://foo.bar.com/' vs 'http:// 
foo.bar.com/") refer to the same identity. Conforming implementations  
must ensure that attackers cannot use an identifier distinguished  
only by the protocol to impersonate a victim."






Johannes Ernst
NetMesh Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
Url : http://openid.net/pipermail/general/attachments/20070914/e129c69b/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://openid.net/pipermail/general/attachments/20070914/e129c69b/attachment-0003.gif 
-------------- next part --------------
  http://netmesh.info/jernst