security (was Re: [dix] Re: Gathering requirements for in-browser OpenID support)

[Ryan Barrett]

On Fri, 20 Oct 2006, Eddy Nigg (StartCom Ltd.) wrote:

> If the "requirements" of SSL (and DNSSEC) are up to the IdP to implement
> OpenID securely, how can this network be ever extended beyond forum and blog
> logins? Also here I'm a little bit clueless. The specs speaks about signing
> of the authentication messages, but there seems to be no securing (explicit)
> of the data in any other way?

"up to the IdP" does not mean "won't be used." IdPs that use OpenID in
meaningful transactions - say, PayPal, or the DMV - will almost certainly use
SSL to protect sensitive data like passwords on the wire. all they're saying
is that OpenID doesn't *mandate* it.

as for DNSSEC, i think josh is right. it's a red herring. sure, DNS is
technically insecure, which is a huge temptation for technical people like us
to blow out of proportion. in practice, though, the holes in DNS so awkward,
and require so many resources, that they're almost never exploited in the
wild. it's just not on the script kiddies' radar, much less real criminals'.

big organizations like banks and brokerage firms are ok with conducting
sensitive transactions over plain vanilla DNS. given that precedent, i doubt
we'd want to burn many cycles on DNSSEC.

-Ryan

--
http://snarfed.org/