security

[Dick Hardt]

On 22-Oct-06, at 10:01 AM, Eddy Nigg (StartCom Ltd.) wrote:

> Dick Hardt wrote:
>> Most sites moving sensitive user data use SSL. I predict that any  
>> IdP that does not use SSL is an experimental IdP that is doing  
>> simple authorization.
> And what if not? There must be a clear answer....



>> User's have been educated that the little lock should appear on  
>> sensitive data, and will not want to do sensitive transactions  
>> without it being there.
> And what if not? What happens then?
>> There are many web applications that are not moving sensitive user  
>> data and do not need to employ SSL. Slashdot being an example.  
>> Given their requirements, there is no need to force those  
>> potential RPs to support SSL. Supporting a security gradient is an  
>> important design choice in adoption of an identity due to the wide  
>> spectrum of security requirements of sites.
> Look, in my opinion there is no reason whatsoever NOT to require  
> SSL. I didn't heard one good argument for not requiring a minimum  
> set of security - of which SSL encryption certainly is. It's like  
> you want to shoot yourself into the foot - instead of preparing for  
> all possibilities (including critics) the best it can get - without  
> requesting too much....Today SSL for a web site is affordable and  
> easy to achieve. OpenID should return "unknown protocol, try https"  
> for regular http requests...

There is no reason to force an RP that is not using SSL today to use  
it with OpenID.
Do you think that Slashdot does not use SSL because they can't afford  
it? No, it is because it is not sensitive enough, and the performance  
overhead of SSL is too high for the marginal benefit.

There is a case for the IdP to use SSL, but the biggest one right  
now, Livejournal, does not support SSL and there was significant push  
back on making it a requirement.

I think the market will dictate what is needed.

>
> Adoption of OpenID might be even higher with a minimal set of  
> security related requirements, because it shows, that you thought  
> about the various other aspects - not just the geeky lets-make-it- 
> work standards. It is going to make this network much more serious  
> in my opinion. It will also send out a message, that this standard  
> will not just be for hobbyists and forum, blog logins, but it may  
> extend and expanded to more serious functions...

I completely agree that we need to communicate to people that these  
issues where thought through.

>> 3rd party claims about the URI are out of scope of OpenID  
>> Authentication. OpenID Attribute Exchange enables moving those  
>> around. There is still work to be done on those specifications.
> Excellent! At which part(s) or papers should I look for these?

All the specs are here:
	http://openid.net/specs.bml

Discussion is on the specs at openid.net list.

-- Dick