Moving this to the list, I really should have started it there in the
first place.
--David
-Original Message-
From: Recordon, David
Sent: Monday, November 06, 2006 2:06 PM
To: 'Dick Hardt'; Josh Hoyt
Subject: RE: IdP's Advertising Both http and https
Hey Dick,
But the security warnings will still exist:
- RP redirects me to http on IdP
- IdP redirects me to https on IdP for login page (warning)
- I interact with IdP for trust request via https
- I submit HTTPS form
- IdP redirects me back to RP via http (warning)
Am I missing something here?
The only way to remove all of the warnings is adding additional
redirects to itself in these steps to remove the warnings.
I guess I'm not sure what I think we should do, though don't think this
is a simple problem.
--David
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Saturday, November 04, 2006 6:49 PM
To: Recordon, David
Cc: Josh Hoyt
Subject: Re: IdP's Advertising Both http and https
Hi David
If the RP is only using HTTP, then then the request and response are in
the clear between the RP and user-agent, and using SSL between the
user-agent and OP has nominal benefit. In case it was not clear, the OP
SHOULD switch to HTTPS for all other transactions between the user-
agent and the OP, so user authentication is secure and any other
personal data transported while the user is deciding what to do is
secure.
I think many RPs will only be using HTTP, so this will be a usability
issue if they are seeing the browser warning.
... but perhaps I am not clear on what you were thinking you wanted to
do?
-- Dick
On 30-Oct-06, at 4:55 PM, Recordon, David wrote:
So I was writing this one up for the notes and it just doesn't seem to
be sitting well with me as I think about it more:
- An IdP can already advertise both http and https endpoints in their
Yadis files. A RP should use the same schema when redirecting the
user to the IdP as it uses for its endpoints, though if this is not
possible can decide to not continue the transaction. This is desired
due to browsers showing a security warning when redirecting from https
to http and vice-versa.
So if the RP is HTTP, I think the security benefits of using SSL for
the request (if the IdP offers a https endpoint) outweigh the fact
that the user will be shown a warning on the response. I guess I have
a hard time making this recommendation when instead I personally would
recommend an IdP not advertise a HTTP endpoint if it has a HTTPS one.
I think the reality is that anyone doing anything but testing with
OpenID really should be using SSL, though certainly also don't believe
that 100% of IdPs and RPs will do so.
Thoughts?
--David
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
