[OpenID] OpenId Association Timeout Recommendations
Granqvist, Hans
hgranqvist at verisign.com
Thu Feb 8 18:29:02 UTC 2007
> However, the spec seems to indicate that if SSL/TLS is used,
> then Direct Verification is ok (Section 15.1.2, first line of
> 2nd paragraph). Do you agree?
In principle, yes, I do. But SSL is such an ephemeral notion.
For instance, you can run SSL with NULL cipher suites so that
traffic goes in the clear.
To me, it seems that a RP that knows how to properly set up
and use SSL to verify the OP (with PKI trust processing)
would probably want to equally properly OpenID-associate.
The original intent of DV was for usage scenarios ("ajax")
where proper SSL is not normally nor easily available nor
implementable.
-Hans
More information about the general
mailing list