Alot of websites that support OpenID do not use SSL (https://), instead they only have the unsecured http://. My idea is, work with the existing and also new OpenID supported websites and encourage them to setup an https:// version of their website. For example, facebook's url could be https://www.facebook.com. The websites don't have to use https as their default url because SSL is a bit slower. But by having an SSL option it will mean OpenID users will have their info encrypted and it lowers the security risks with OpenID.310 votes
That’s a great idea. It’s certainly something that OPs and RPs should take into consideration.
There is currently some conversations going on about an OpenID Security Best Practices document; while the spec shouldn’t mandate SSL, it certainly should present the case for supporting it, ideally in a best practices doc.
- Don't see your idea?