[OpenID] Reconsidering http://openid different from https://openid
Johannes Ernst
jernst+openid.net at netmesh.us
Fri Sep 14 09:40:24 PDT 2007
I'm one of the guys who actually maintains an ACL (Access Control
List) based on OpenID identities. The process works like this:
- Customer: hey, I'd like access to your website
- Me: sure, send me your OpenID
- Customer: foo.bar.com
- Me: adding http://foo.bar.com/ to the ACL
- Customer: hey, I tried but it doesn't work
- Me (diagnosing): that's because you entered 'https://
foo.bar.com/' and not 'http://foo.bar.com/".
This happens in a surprisingly large number of cases.
No user seems to put any significance into the http vs. https as part
of their identifier; even the people who do have the technical
understanding to distinguish the two tend to fail understanding that
within this community, we treat them as different identities.
I'd like to revisit this issue, as actual user behavior as I'm seeing
it tends to conflict with the assumptions we made when defining these
are two different identities. Specifically, I'd like the spec to say:
"Identifiers distinguished only by the 'http' vs. 'https' in the
protocol part of the URL (e.g. 'https://foo.bar.com/' vs 'http://
foo.bar.com/") refer to the same identity. Conforming implementations
must ensure that attackers cannot use an identifier distinguished
only by the protocol to impersonate a victim."
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
Url : http://openid.net/pipermail/general/attachments/20070914/e129c69b/attachment-0002.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://openid.net/pipermail/general/attachments/20070914/e129c69b/attachment-0003.gif
-------------- next part --------------
http://netmesh.info/jernst
More information about the general
mailing list