Our identity URLs are indeed sent as http, which is because before when OpenID was introduced into Fedora many, many moons ago (before my time), it was done so without HTTPS for identity URLs, and changing this afterward would break every account assignment at every remote site, which would leave many users very confused and annoyed.
Note that these identity URLs are only requested once in the protocol, and only by the Relying Party (Zanata), which means that the only possible attack would be a man in the middle between the Zanata servers and Fedora's network for the discovery.
The OpenID endpoint, which sends all data including the signatures, is always served over HTTPS, just like the second discovery step.
Do note that we *also* provide all identity URLs over HTTPS, e.g. https://puiterwijk.id.fedoraproject.org/.
If the Zanata team is willing to update all account assignments on your end, I can make us serve https identity urls to you.
Alternatively, you can just rewrite the http identity url to https on your end when verifying, and that would work without any changes on our end, since all the certificates are in place to serve them.
Feel free to let me know which you prefer.
_______________________________________________
trans mailing list -- trans@lists.fedoraproject.org
To unsubscribe send an email to trans-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/trans@lists.fedoraproject.org/message/7X6WIADT673S4TDBSB5X64JHZUZTURTH/
No comments:
Post a Comment