No subject


Thu Aug 31 20:54:33 PDT 2006 

needed for what OpenID is doing.  At the same time, there really is =
value, even for OpenID,  in a cert that chains up to a trusted CA.

--David


 -----Original Message-----
From: 	Eddy Nigg (StartCom Ltd.) [mailto:eddy_nigg at startcom.org]
Sent:	Friday, October 20, 2006 02:26 PM Pacific Standard Time
To:	general at openid.net
Subject:	***SPAM*** Re: SSL,	DNSSEC and protected data enroute? (was Re: =
off topic -how many	people use OpenID ?)

Jonathan Daugherty wrote:
> # Therefore COST is not a valid excuse for bypassing SSL.
>
> I don't think that citing cheap certs is any justification for
> requiring it.  And that is to say nothing about whether a CA is
> trusted.
>  =20
Well, really the issue isn't the costs perhaps (it was given as a reason
why NOT to require a certain security standard), but the fact, that the
network you are trying to build can be too easy compromised maybe. But
this is not the compromise of one lonely site, it's all the sites
offering openid login...

The investment to compromise a user login to a forum is perhaps not so
interesting for a hacker, but access to hundreds or thousands of sites
with various levels of information accessible to the (wrongful) user,
would be perhaps disastrous. Personally I thought, that I joined the
discussion very late, specially with the notable involvement of Verisign
at OpenID, but it seems, that there is still some work to be done ;-) In
my opinion, the https protocol is almost the logical requirement for
sites dealing with user login and other data...Therefore I agree, that
not the costs should be the justification for requiring SSL, but what's
at stake for the whole network.

So the question was, what is done in order to protect this network and
how data has to be secured on transport and perhaps also on the systems
themselves!?

--=20
Regards
=20
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390


------_=_NextPart_001_01C6F48F.2CEBB3A3
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>RE: Re: SSL,	DNSSEC and protected data enroute? (was Re: off =
topic -how many	people use OpenID ?)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=3D2>I honestly didn't believe this over a year ago when I =
first met the VeriSign guys, but I just want to make it clear that =
VeriSign is not involved in OpenID with the goal of selling SSL =
certificates.<BR>
<BR>

More information about the general mailing list