[PROPOSAL] Adding More Color Around SSL Use

[Hans Granqvist]

Recordon, David wrote:
> I'm planning to check in the following patch to the authentication spec
> later today unless anyone has STRONG objections.  It says that SSL is
> not REQUIRED, though comes as close to saying that it is that I think we
> can.  Josh, Mart, and I believe this is a good middle position to take
> on the matter.  We certainly believe any reputable IdP will correctly
> use SSL, though there are cases (such as using OpenID Authentication
> fully within your own trusted network) where it is not required.

-1, if it's not too late

There are too many unknowns in this proposed change. While the
current text is not good, adding this to the spec is likely to
cause harm, for example:

What forms of SSL (incl. cipher suites) are recommended? What
is "a trusted authority" -- trusted by whom and for what? What
does "secure manner" mean?

I'm also wondering how the proposed security profiles correlate
with this change. It seems proper to reference these profiles
here. Can you shed some light?

Please also note that SSL has been more or less superseded by
TLS. TLS1 and SSL3 are quite similar, but not entirely, so
equating SSL with TLS should be spelled out. (Unless you imply
TLS is verboten, which I don't think is what you're doing :)

Hans