Looking at the OpenID best practices (http://test-id.org/RP/IgnoresContentLocationHeader.aspx) , I see one part of interest: OpenID Providers are highly recommended to issue HTTPS Identifiers to their users.
In practice however it looks as though most OpenID providers do not do this. Even Verisign's OpenID are prefixed by HTTP. I've recently taken an interest in OpenID and set up my own OpenID provider using Atlassian's Crowd, and I have set it up so that both HTTP and HTTPS OpenIDs are available. In the case with the HTTP OpenIDs, I have the login page covered by SSL, but the rest is HTTP. The HTTPS OpenIDs are more ideal, but I have encountered a rather large number of sites which simply do not seem to accept them. For instance, none of the mediawiki sites using the OpenID extension listed http://www.mediawiki.org/wiki/OpenID seem to accept them, and neither does my locally hosted Wordpress page with their OpenID plugin. Both seem to be using the OpenIDEnabled php library, so it might be an issue with that. So, as far as I can tell there are three main approaches- 1. Use HTTP based OpenIDs and perform SSL for the login. 2. Use an HTTP based OpenIDs which delegates the authentication to the HTTPs version 3. Use an HTTPS based OpenID. Feel free to pipe in with any other alternatives that you can think of. So my question is what do you gain/lose with each option? Is 2 any less secure than 3? Do you lose much by only performing SSL on the login? -- View this message in context: http://old.nabble.com/HTTP-vs-HTTPS-based-OpenIDs-tp26685482p26685482.html Sent from the OpenID - Security mailing list archive at Nabble.com. _______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
