security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sun Oct 22 17:01:32 UTC 2006
Dick Hardt wrote:
> Most sites moving sensitive user data use SSL. I predict that any IdP
> that does not use SSL is an experimental IdP that is doing simple
> authorization.
And what if not? There must be a clear answer....
> User's have been educated that the little lock should appear on
> sensitive data, and will not want to do sensitive transactions without
> it being there.
And what if not? What happens then?
> There are many web applications that are not moving sensitive user
> data and do not need to employ SSL. Slashdot being an example. Given
> their requirements, there is no need to force those potential RPs to
> support SSL. Supporting a security gradient is an important design
> choice in adoption of an identity due to the wide spectrum of security
> requirements of sites.
Look, in my opinion there is no reason whatsoever NOT to require SSL. I
didn't heard one good argument for not requiring a minimum set of
security - of which SSL encryption certainly is. It's like you want to
shoot yourself into the foot - instead of preparing for all
possibilities (including critics) the best it can get - without
requesting too much....Today SSL for a web site is affordable and easy
to achieve. OpenID should return "unknown protocol, try https" for
regular http requests...
Adoption of OpenID might be even higher with a minimal set of security
related requirements, because it shows, that you thought about the
various other aspects - not just the geeky lets-make-it-work standards.
It is going to make this network much more serious in my opinion. It
will also send out a message, that this standard will not just be for
hobbyists and forum, blog logins, but it may extend and expanded to more
serious functions...
> 3rd party claims about the URI are out of scope of OpenID
> Authentication. OpenID Attribute Exchange enables moving those around.
> There is still work to be done on those specifications.
Excellent! At which part(s) or papers should I look for these?
> -- Dick
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/70db9ca4/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/70db9ca4/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/70db9ca4/attachment-0002.bin>
More information about the general
mailing list