[OpenID] Trust + Security @ OpenID

Dmitry Shechtman damnian at gmail.com
Thu Jul 19 13:31:38 UTC 2007


Hi list,

 

I just had a really fertile talk with Eddy about "IdP reputation", during
which I came up with a couple of ideas which I found sound enough to be
shared with the community:

 

1.	If an RP is after strong IdP security, it should only trust IdPs
that have SSL (so it would resolve all identifiers to https://)
2.	Once an identity server is queried over SSL, it will be forced to
return an X.509 certificate.
3.	X.509 certificates support explicit client-side security policy (so
the RP may define a list of CAs it trusts for granting certificates to
IdPs).
4.	An "OpenID provider" certificate key usage should be defined (to be
checked by RPs).
5.	A separate "IdP certificate" should be defined (to be queried via an
extension to the protocol).
6.	A combination of (4) and (5) may be used for optimal transparent
security.

 

Please forgive me if (4) or (5) were already defined. I'm not familiar with
all existing OpenID extensions.

 

Does the "IdP reputation" issue should be further discussed?

 

 

Regards,

Dmitry

=damnian 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070719/62fbc85f/attachment-0002.htm>


More information about the general mailing list