HTTPS status

Alaric Dailey alaricdailey at hotmail.com
Thu Mar 1 02:23:46 UTC 2007


That wording is better than I remember, but really with free certificates
being readily available, and the obvious need for prtecting users data, WHY
oh WHY is there even support for an unencrypted channel?  Heck even Jabber
is being moved to a completely secure end to end encrypted channel.  With
this being created brand new, why start insecure?

I realize I am repeating the same thing I started a few months ago, but with
MS and AOL supporting OpenID, it means a lot more users will be exposed to
it, making it even more important to do it right from the beginning.

Why is there such reluctance?
 

> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of Martin Atkins
> Sent: Wednesday, February 28, 2007 6:14 PM
> To: specs at openid.net
> Subject: Re: HTTPS status
> 
> Alaric Dailey wrote:
> > Eddy Nigg and I brought up the issue of requiring SSL  a 
> while back, 
> > since then I have been swamped, it looked like there was some more 
> > talk about it since then.
> >  
> > I know that there are several other people, that are 
> concerned about 
> > this too, and it has even been blogged about ( 
> > http://www.tbray.org/ongoing/When/200x/2007/02/24/OpenID )
> >  
> > Can someone please tell me the status on this? Hopefully 
> its being required!
> > 
> 
> As far as I'm aware, the current status is:
> 
>   * All OpenID identifiers SHOULD use a secure channel.
>   * All OpenID servers SHOULD use a secure channel.
>   * OpenID relying parties MUST support SSL access to HTTP URLs.
>   * OpenID relying parties MAY refuse to interface with 
> identifiers and servers that do not use a secure channel.
>   * All other connections are out of scope of OpenID Authentication.
> 
> I may be wrong on these, as I'm listing them from memory.
> 
> 
> 
> In practice, I expect all big OpenID providers will support 
> SSL because users will demand it. The sites currently 
> providing OpenID identifiers as value-add features alongside 
> an existing service (LiveJournal, etc.) probably won't get 
> used much once there are more "proper" providers.
> 
> People hosting their own identifiers and/or OPs probably 
> won't use SSL, but then they won't be able to use their 
> identifiers at any site which requires SSL-based OpenID 
> Authentication, and they'll be in the minority anyway.
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 



More information about the specs mailing list