security
Dick Hardt
dick at sxip.com
Sun Oct 22 17:27:42 UTC 2006
On 22-Oct-06, at 10:20 AM, Kalle Alm wrote:
> Hi there,
>
> On Sun, 2006-10-22 at 19:01 +0200, Eddy Nigg (StartCom Ltd.) wrote:
>> Dick Hardt wrote:
>>> Most sites moving sensitive user data use SSL. I predict that any
>>> IdP that does not use SSL is an experimental IdP that is doing
>>> simple authorization.
>> And what if not? There must be a clear answer....
>>> User's have been educated that the little lock should appear on
>>> sensitive data, and will not want to do sensitive transactions
>>> without it being there.
>> And what if not? What happens then?
>
> Isn't this rather similar to "looking for the secure sign when
> performing credit card transactions online"? Any respectable site will
> use it, and the ones that don't will not have any users.
yes, agreed
>
> Instead it might be that, as in the example given, PayPal as an OpenID
> "consumer" (I guess?) would only connect to https-enabled
> OpenID-providers. I'm afraid I'm not involved enough to say if this is
> even possible to control or not, but food for thought, regardless.
Hans has written a security profile proposal so that an RP would be
able to decide if an IdP supported a level of security appropriate
for a transaction.
-- Dick
More information about the general
mailing list