No subject
Thu Aug 31 20:54:33 PDT 2006
needed for what OpenID is doing. At the same time, there really is =
value, even for OpenID, in a cert that chains up to a trusted =
CA.<BR>
<BR>
--David<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Eddy Nigg (StartCom Ltd.) [<A =
HREF=3D"mailto:eddy_nigg at startcom.org">mailto:eddy_nigg at startcom.org</A>]=
<BR>
Sent: Friday, October 20, 2006 02:26 PM Pacific Standard =
Time<BR>
To: general at openid.net<BR>
Subject: ***SPAM*** Re: =
SSL, DNSSEC and protected data enroute? (was Re: =
off topic -how many people use OpenID ?)<BR>
<BR>
Jonathan Daugherty wrote:<BR>
> # Therefore COST is not a valid excuse for bypassing SSL.<BR>
><BR>
> I don't think that citing cheap certs is any justification for<BR>
> requiring it. And that is to say nothing about whether a CA =
is<BR>
> trusted.<BR>
> <BR>
Well, really the issue isn't the costs perhaps (it was given as a =
reason<BR>
why NOT to require a certain security standard), but the fact, that =
the<BR>
network you are trying to build can be too easy compromised maybe. =
But<BR>
this is not the compromise of one lonely site, it's all the sites<BR>
offering openid login...<BR>
<BR>
The investment to compromise a user login to a forum is perhaps not =
so<BR>
interesting for a hacker, but access to hundreds or thousands of =
sites<BR>
with various levels of information accessible to the (wrongful) =
user,<BR>
would be perhaps disastrous. Personally I thought, that I joined the<BR>
discussion very late, specially with the notable involvement of =
Verisign<BR>
at OpenID, but it seems, that there is still some work to be done ;-) =
In<BR>
my opinion, the https protocol is almost the logical requirement for<BR>
sites dealing with user login and other data...Therefore I agree, =
that<BR>
not the costs should be the justification for requiring SSL, but =
what's<BR>
at stake for the whole network.<BR>
<BR>
So the question was, what is done in order to protect this network =
and<BR>
how data has to be secured on transport and perhaps also on the =
systems<BR>
themselves!?<BR>
<BR>
--<BR>
Regards<BR>
<BR>
Signer: Eddy Nigg, StartCom Ltd.<BR>
Phone: +1.213.341.0390<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C6F48F.2CEBB3A3--
More information about the general
mailing list