security
Kalle Alm
kalle at enrogue.com
Sun Oct 22 17:20:22 UTC 2006
Hi there,
On Sun, 2006-10-22 at 19:01 +0200, Eddy Nigg (StartCom Ltd.) wrote:
> Dick Hardt wrote:
> > Most sites moving sensitive user data use SSL. I predict that any
> > IdP that does not use SSL is an experimental IdP that is doing
> > simple authorization.
> And what if not? There must be a clear answer....
> > User's have been educated that the little lock should appear on
> > sensitive data, and will not want to do sensitive transactions
> > without it being there.
> And what if not? What happens then?
Isn't this rather similar to "looking for the secure sign when
performing credit card transactions online"? Any respectable site will
use it, and the ones that don't will not have any users.
Instead it might be that, as in the example given, PayPal as an OpenID
"consumer" (I guess?) would only connect to https-enabled
OpenID-providers. I'm afraid I'm not involved enough to say if this is
even possible to control or not, but food for thought, regardless.
-Kalle.
More information about the general
mailing list