[OpenID] Trust + Security @ OpenID

Peter Williams pwilliams at rapattoni.com
Fri Jul 20 17:01:28 UTC 2007 

Yes, they are.

Its poorly implemented. Its security semantics are not the same as https
(a common misconception); it's a technology shelf item that's been
waiting for a reason to exist (beyond what https did for the last 13
years). I think it now has one.

That its poorly supported in libs is why its proxy architecture works
nicely. The TLS tunnels are setup between http proxies, not endpoints
(though obviously an endpoint can always be its own proxy). The value of
proxying is that the certs will act as the control plane for the
switching function of the network of proxy relays.





-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Gabe Wachob
Sent: Friday, July 20, 2007 9:45 AM
To: jpanzer at acm.org; 'Dmitry Shechtman'
Cc: security at openid.net; general at openid.net
Subject: Re: [OpenID] Trust + Security @ OpenID

Are you guys talking about RFC2817 - HTTP Upgrade to TLS
(http://www.ietf.org/rfc/rfc2817.txt) 

I'm not sure how well that's implemented at all. In fact, I'd be
surprised
if most common http libraries and servers implement it (though I have
been
surprised in the past!)

	-Gabe


Yes, they are.

Its poorly implemented. Its security semantics are not the same as https
(a common misconception); RFC2817 is a technology shelf item that's been
waiting for a reason to exist (beyond the reason of competing with what
https did for virtual hosting over the last 13 years). I think it now
has one, as it has a proxy architecture rather than being an end-end
protocol. The original rational (save poor IANA from SSL takeover of its
port space) was always silly: IETF in its puritan mode.

That its poorly supported in http libs is why its proxy architecture
works nicely. The persistent TLS tunnels (plural) are setup between http
proxies, not endpoints (though obviously an endpoint can always be its
own proxy). Apart from interfacing legacy http libs easily to the
trusted name service, the additional value of proxying is that the cert
chains negotiation used during the tunnel negotiation will act as the
control plane for the switching function of the relay network, allowing
a  management plane to project thereby the assurance of the IDP
Discovery process in an open system environment of multiple domains.

(Ok. Ok. I'm no longer sounding like a buyer from realty; I best get
back into role.)

More information about the general mailing list