Last modified: 2014-01-13 17:18:32 UTC
originally filed in https://www.mediawiki.org/wiki/Extension_talk:OpenID#x.24wgOpenIDTrustRoot_35640
The question is, whether making it protocol-independent is really safe. We are talking about the server-side implementation (MediaWiki as OpenID Server). When the MediaWiki can be accessed via http: _and_ https: in the same way, then the consumer should trust one of them - not both, because the server could deliver different services, depending whether it is accessed via http or https. So I changed my mind and think, that the $wgOpenIDTrustRoot value should _always_ reflect the actual way, a consumer has authenticated. Closing as INVALID.