Re: IdP's Advertising Both http and https
On 9-Nov-06, at 7:45 AM, Rowan Kerr wrote: > On Wed, 2006-11-08 at 00:42 -0800, Dick Hardt wrote: >>> -Original Message- >>> From: Recordon, David >>> >>> But the security warnings will still exist: >>> - RP redirects me to http on IdP >>> - IdP redirects me to https on IdP for login page (warning) >> >> no warning on GET redirects > > If GET is going to be an acceptable method for responses, the spec > should be updated. Section 5.2.1. HTTP Redirect states: > > This method is deprecated as of OpenID Authentication version > 2.0 though is still required for implementation to aide in > backwards compatibility. To clarify, the GET redirect that I am referring to is one to is to the same host. We moved to a POST between RP and OP so that we could move more data. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: IdP's Advertising Both http and https
On Wed, 2006-11-08 at 00:42 -0800, Dick Hardt wrote: > > -Original Message- > > From: Recordon, David > > > > But the security warnings will still exist: > > - RP redirects me to http on IdP > > - IdP redirects me to https on IdP for login page (warning) > > no warning on GET redirects If GET is going to be an acceptable method for responses, the spec should be updated. Section 5.2.1. HTTP Redirect states: This method is deprecated as of OpenID Authentication version 2.0 though is still required for implementation to aide in backwards compatibility. Yes/no? -Rowan ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: IdP's Advertising Both http and https
that's correct - you can use an auto submit form with GET or use _javascript_ (document.location.replace) or META redirect tag to make the browser do a GET. We are doing this for a very very long time too - mainly the _javascript_ method as it helps in restoring the back button functionality (better UE). - Praveen [EMAIL PROTECTED] wrote: On 7-Nov-06, at 12:34 PM, Recordon, David wrote: Moving this to the list, I really should have started it there in the first place. --David -Original Message- From: Recordon, David Sent: Monday, November 06, 2006 2:06 PM To: 'Dick Hardt'; Josh Hoyt Subject: RE: IdP's Advertising Both http and https Hey Dick, But the security warnings will still exist: - RP redirects me to http on IdP - IdP redirects me to https on IdP for login page (warning) no warning on GET redirects - I interact with IdP for "trust request" via https - I submit HTTPS form - IdP redirects me back to RP via http (warning) not if you do a GET redirect Am I missing something here? redirected POSTs produce a warning, redirected GETs do not I guess I'm not sure what I think we should do, though don't think this is a simple problem. We built this out with our SXIP 2.0 code. Worked fine. No warnings. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: IdP's Advertising Both http and https
On 7-Nov-06, at 12:34 PM, Recordon, David wrote: > Moving this to the list, I really should have started it there in the > first place. > > --David > > -Original Message- > From: Recordon, David > Sent: Monday, November 06, 2006 2:06 PM > To: 'Dick Hardt'; Josh Hoyt > Subject: RE: IdP's Advertising Both http and https > > Hey Dick, > But the security warnings will still exist: > - RP redirects me to http on IdP > - IdP redirects me to https on IdP for login page (warning) no warning on GET redirects > - I interact with IdP for "trust request" via https > - I submit HTTPS form > - IdP redirects me back to RP via http (warning) not if you do a GET redirect > > Am I missing something here? redirected POSTs produce a warning, redirected GETs do not > > I guess I'm not sure what I think we should do, though don't think > this > is a simple problem. We built this out with our SXIP 2.0 code. Worked fine. No warnings. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: IdP's Advertising Both http and https
Moving this to the list, I really should have started it there in the first place. --David -Original Message- From: Recordon, David Sent: Monday, November 06, 2006 2:06 PM To: 'Dick Hardt'; Josh Hoyt Subject: RE: IdP's Advertising Both http and https Hey Dick, But the security warnings will still exist: - RP redirects me to http on IdP - IdP redirects me to https on IdP for login page (warning) - I interact with IdP for "trust request" via https - I submit HTTPS form - IdP redirects me back to RP via http (warning) Am I missing something here? The only way to remove all of the warnings is adding additional redirects to itself in these steps to remove the warnings. I guess I'm not sure what I think we should do, though don't think this is a simple problem. --David -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Saturday, November 04, 2006 6:49 PM To: Recordon, David Cc: Josh Hoyt Subject: Re: IdP's Advertising Both http and https Hi David If the RP is only using HTTP, then then the request and response are in the clear between the RP and user-agent, and using SSL between the user-agent and OP has nominal benefit. In case it was not clear, the OP SHOULD switch to HTTPS for all other transactions between the user- agent and the OP, so user authentication is secure and any other personal data transported while the user is deciding what to do is secure. I think many RPs will only be using HTTP, so this will be a usability issue if they are seeing the browser warning. ... but perhaps I am not clear on what you were thinking you wanted to do? -- Dick On 30-Oct-06, at 4:55 PM, Recordon, David wrote: > So I was writing this one up for the notes and it just doesn't seem to > be sitting well with me as I think about it more: > > - An IdP can already advertise both http and https endpoints in their > Yadis files. A RP should use the same schema when redirecting the > user to the IdP as it uses for its endpoints, though if this is not > possible can decide to not continue the transaction. This is desired > due to browsers showing a security warning when redirecting from https > to http and vice-versa. > > So if the RP is HTTP, I think the security benefits of using SSL for > the request (if the IdP offers a https endpoint) outweigh the fact > that the user will be shown a warning on the response. I guess I have > a hard time making this recommendation when instead I personally would > recommend an IdP not advertise a HTTP endpoint if it has a HTTPS one. > I think the reality is that anyone doing anything but testing with > OpenID really should be using SSL, though certainly also don't believe > that 100% of IdPs and RPs will do so. > > Thoughts? > > --David > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs