security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Oct 20 20:39:24 UTC 2006
Ryan Barrett wrote:
> "up to the IdP" does not mean "won't be used." IdPs that use OpenID in
> meaningful transactions - say, PayPal, or the DMV - will almost
> certainly use
> SSL to protect sensitive data like passwords on the wire. all they're
> saying
> is that OpenID doesn't *mandate* it.
Well....today domain validated certification is available for very low
cost or free...Therefore I'm not sure, if the argument of costs is valid
anymore. Here it's about the transport of the critical data, e.g. the
user details. If the same details can be open and sniffed by a third
party on-route, than it might be re-used to access secured sites as
well? Is there a protection against this? Otherwise it doesn't matter if
Paypal uses encryption, if a simple sniffer can get the required bits
from another (unsecured) site more easy?
Authentication of user submitted data is another story, which would
require at some point a validation system....So I'm not sure, if the
specs have a trust bit for these...??? This would be an interesting
point for more critical transactions of course...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/f2eb4a83/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/f2eb4a83/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/f2eb4a83/attachment-0002.bin>
More information about the general
mailing list