SSL, DNSSEC and protected data enroute? (was Re: off topic - how many people use OpenID ?)

Alaric Dailey alaricd at pengdows.com
Fri Oct 20 20:10:43 UTC 2006 

Josh Hoyt wrote:
> On 10/20/06, *Alaric Dailey* <alaricd at pengdows.com 
> <mailto:alaricd at pengdows.com>> wrote:
>
>     Is SSL going to be required (to protect the users data en-route)?
>
>
> It is going to be strongly encouraged, but not required. The reality 
> of the situation is that not every site wants to pay for or can afford 
> an SSL certificate,
There are free SSL certs available from several sources, the most 
accepted of which is StartCom.  ( http://cert.startcom.org ).  An 
interesting side note is that SSL is being tossed about as a requirement 
for joining the Jabber Federation (  http://www.xmpp.net ), and they are 
using a startcom ssl cert.

If you don't like free, try < $10 from Registerfly ( 
http://www.registerfly.com/ssl/ ) .

Therefore COST is not a valid excuse for bypassing SSL. 
> and there are many valid scenarios in which that level of protection 
> is not necessary.

I know that as a conciesncus user, I won't use a system that doesn't 
protect my data en-route.

> Making a comment on a blog, posting to a message board, or getting 
> access to family photos are all scenarios in which I expect that SSL 
> might not be available.

The moment you pass users data, it should be encrypted, even if SSL 
isn't the choice, for all I care it could be done via PGP emails. Even 
if you don't want the protection of encryption, you NEED  the data to be 
signed to prevent data being modified en-route.

>
>     DNSSEC to validate the DNS hasn't been modified?
>
>
> Same argument as above, except that DNSSEC is not widely used, so 
> requiring it would set the bar even higher. I think it would be great 
> for support of DNSSEC to be wider, but requiring it would harm 
> adoption, especially for community sites, personal sites, and other 
> non-commercial communities. 
>
>     Has anyone thought about this?
>
>
> yep :)
Requiring DNSSEC might be stiff, but it would be a good idea, especially 
for "authoritative" servers.

>
> The specification will enumerate the trade-offs for using or not using 
> different security technologies, and leave the decision up to 
> implementers. Hans from VeriSign has designed security profiles for 
> OpenID implementations.
>
> Basically, the idea is that the user (with the IdP and RP's help) will 
> make decisions on what is secure enough while adoption is still taking 
> place, and eventually, there will be enforceable levels of security.
>
> Josh


-- 
*Pengdows, Inc.*
	
Everyone deserves privacy.

Pengdows, Inc. <http://www.pengdows.com> 	Alaric Dailey - President

    * StartCom 'Web of Trust' Member <http://www.startssl.org>
    * Thawte 'Web of Trust' Notary
      <http://www.thawte.com/secure-email/web-of-trust-wot/index.html>
    * Notary Public and NNA member <http://www.nationalnotary.org/>
    * CAcert 'Web of Trust' Assurer <http://www.cacert.org/wot.php?id=3>

	National Notary Association Member

ATTENTION USERS OF MICROSOFT OUTLOOK AND MICROSOFT OUTLOOK EXPRESS:
Some versions of these products have trouble replying to digitally 
signed emails, like this one.
For more information on this error, and how to fix it please visit Mark 
Nobles website here <http://www.marknoble.com/tutorial/smime/smime.aspx>.

Having trouble validating the digital signature? Install the 
Certification Authority <http://cert.startcom.org/?app=109>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/14bc973b/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pengdows88.png
Type: image/png
Size: 8540 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/14bc973b/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nna-memb88.jpg
Type: image/jpeg
Size: 4107 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/14bc973b/attachment-0002.jpg>

More information about the general mailing list