> Sorry! Yes. TLS in this context means negotiating to do SSL over port > 80 via HTTP 1.1 mechanisms. Once the client and server upgrade, it's > effectively the same security as https. Specifically the client is sent > a server certificate which proves that they are (say) foo.blogspot.com.
Thanks for clarifying that. So my question stands: what should the RP's decision in case a non-upgradeable http:// variant of the identifier is detected? I am fully aware of the DNS spoofing risks, but I am also assuming no OPs (in the wild, that is) currently satisfy this constraint (i.e. either SSL only or TLS-upgradable identifiers). If you have i-names in mind, there is a much easier way of blocking non-compliant OPs... Regards, Dmitry =damnian _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
