security

Dick Hardt dick at sxip.com
Sun Oct 22 15:55:39 UTC 2006 

On 20-Oct-06, at 1:39 PM, Eddy Nigg (StartCom Ltd.) wrote:

> Ryan Barrett wrote:
>> "up to the IdP" does not mean "won't be used." IdPs that use  
>> OpenID in
>> meaningful transactions - say, PayPal, or the DMV - will almost  
>> certainly use
>> SSL to protect sensitive data like passwords on the wire. all  
>> they're saying
>> is that OpenID doesn't *mandate* it.
> Well....today domain validated certification is available for very  
> low cost or free...Therefore I'm not sure, if the argument of costs  
> is valid anymore. Here it's about the transport of the critical  
> data, e.g. the user details. If the same details can be open and  
> sniffed by a third party on-route, than it might be re-used to  
> access secured sites as well? Is there a protection against this?  
> Otherwise it doesn't matter if Paypal uses encryption, if a simple  
> sniffer can get the required bits from another (unsecured) site  
> more easy?

Most sites moving sensitive user data use SSL. I predict that any IdP  
that does not use SSL is an experimental IdP that is doing simple  
authorization. User's have been educated that the little lock should  
appear on sensitive data, and will not want to do sensitive  
transactions without it being there.

There are many web applications that are not moving sensitive user  
data and do not need to employ SSL. Slashdot being an example. Given  
their requirements, there is no need to force those potential RPs to  
support SSL. Supporting a security gradient is an important design  
choice in adoption of an identity due to the wide spectrum of  
security requirements of sites.


> Authentication of user submitted data is another story, which would  
> require at some point a validation system....So I'm not sure, if  
> the specs have a trust bit for these...??? This would be an  
> interesting point for more critical transactions of course...

3rd party claims about the URI are out of scope of OpenID  
Authentication. OpenID Attribute Exchange enables moving those  
around. There is still work to be done on those specifications.

-- Dick

More information about the general mailing list