SSL, DNSSEC and protected data enroute? (was Re: off topic - how many people use OpenID ?)
Josh Hoyt
josh at janrain.com
Fri Oct 20 19:27:04 UTC 2006
On 10/20/06, Alaric Dailey <alaricd at pengdows.com> wrote:
>
> Is SSL going to be required (to protect the users data en-route)?
>
It is going to be strongly encouraged, but not required. The reality of the
situation is that not every site wants to pay for or can afford an SSL
certificate, and there are many valid scenarios in which that level of
protection is not necessary. Making a comment on a blog, posting to a
message board, or getting access to family photos are all scenarios in which
I expect that SSL might not be available.
DNSSEC to validate the DNS hasn't been modified?
>
Same argument as above, except that DNSSEC is not widely used, so requiring
it would set the bar even higher. I think it would be great for support of
DNSSEC to be wider, but requiring it would harm adoption, especially for
community sites, personal sites, and other non-commercial communities.
Has anyone thought about this?
>
yep :)
The specification will enumerate the trade-offs for using or not using
different security technologies, and leave the decision up to implementers.
Hans from VeriSign has designed security profiles for OpenID
implementations.
Basically, the idea is that the user (with the IdP and RP's help) will make
decisions on what is secure enough while adoption is still taking place, and
eventually, there will be enforceable levels of security.
Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/9fb2ac77/attachment-0002.htm>
More information about the general
mailing list