I don't understand what you're suggesting. If you ban both HTTP and
HTTPS OP what's left?
I don't want to unconditionally ban HTTPS OP's, just when they're
delegated to by a non-HTTPS URI.
I think its more helpful to think in terms of a spectrum of threats.
Using HTTPS for the OP but not for the identity URI is more secure
than using HTTP for both and less secure than using HTTPS for both.
But secure against *what*?
What's the attack here? What are we defending against, exactly?
If the OP uses SSL that helps the user, but not us, except indirectly
if we're worried about the user giving away their credentials to a
fake OP (in the coffee shop model, as you said), and if their URI
*doesn't* use SSL then the user has an illusion of security, one
which may be reinforced by their OP.
If you store data at my site (even inadvertently, indirectly, through
the ACL that reveals which pages *I* thought you would have an
interest in), data which is later retrievable by you, it is also
retrievable by anyone who can *convince* me that they are you - and
this attack does not care one whit whether your OP is using SSL or
not, since your OP will never be involved.
The user is concerned with attackers being able to spoof their
Identity at *any* site, by stealing the credentials they use at their
OP; the user *might* care little whether attackers can spoof their
Identity at a specific RP, but if they store any personal data there
they should care greatly!
If the user is being reassured by their OP that they are "secure"
because that OP uses SSL, then the user has a false sense of
security. If the user has an HTTP URI and a HTTP OP, they probably
understand the risks and are willing to take them. I can always
assign an explanation to their ACL (even make the page default on
first login) to make sure.
-Shade toys with the idea of caching IP addresses for OP's, then
throwing a fit if it suddenly doesn't match up
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
