[PROPOSAL] Adding More Color Around SSL Use
Recordon, David
drecordon at verisign.com
Thu Oct 26 20:48:09 UTC 2006
I'm planning to check in the following patch to the authentication spec
later today unless anyone has STRONG objections. It says that SSL is
not REQUIRED, though comes as close to saying that it is that I think we
can. Josh, Mart, and I believe this is a good middle position to take
on the matter. We certainly believe any reputable IdP will correctly
use SSL, though there are cases (such as using OpenID Authentication
fully within your own trusted network) where it is not required.
--David
Index: openid-authentication.xml
===================================================================
--- openid-authentication.xml (revision 68)
+++ openid-authentication.xml (working copy)
@@ -2216,7 +2216,17 @@
<t>
In order to get protection from SSL, SSL must be used for
all parts of the interaction, including interaction with
- the End User through the User Agent.
+ the End User through the User Agent. While the protocol
+ does not require SSL be used, its use is strongly
+ RECOMMENDED. Current best practicies dictate that an IdP
+ SHOULD use SSL, with a certificate signed by a trusted
+ authority, to secure its service endpoint. In addition,
+ SSL, with a certificate signed by a trusted authority,
+ SHOULD be used so that a Relying Party can fetch the
+ End User's URL in a secure manner. Please keep in mind
+ that a Relying Party MAY decide to not complete, or even
+ begin, a transaction if SSL is not being correctly used
+ at these various endpoints.
</t>
</section>
</section>
More information about the specs
mailing list