security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sun Oct 22 18:32:31 UTC 2006
Hi Dick,
Dick Hardt wrote:
> There is no reason to force an RP that is not using SSL today to use
> it with OpenID.
Of course there are....:
1.) I don't want my personal "whatever" data be transfered in the open,
which includes my ID URI, Key and whatever is going to be transfered
from my homesite.
2.) I want to make sure, that I'm really talking to slashdot / paypal /
whatever site....reducing the possibilities of pishing and login by
mistake to the wrong site.
> Do you think that Slashdot does not use SSL because they can't afford
> it? No, it is because it is not sensitive enough, and the performance
> overhead of SSL is too high for the marginal benefit.
*Any* Login data is sensitive enough! But really, the "performance
overhead" is also not a valid argument anymore....First, I'm not
suggesting, that /. encrypts from now on all its content, but the
relevant parts of OpenID. The transfered data is not in the range of
sizes, that this might in any affect performance, but possibly a few
KB's....This argument might have been valid ten years ago, but not today....
> There is a case for the IdP to use SSL, but the biggest one right now,
> Livejournal, does not support SSL and there was significant push back
> on making it a requirement.
Well...I don't know, what the big deal is to have a secured SSL
site...really...If you can afford to buy a domain name, than you can
also afford a SSL certificate or get it even for free (This will be more
and more common...just wait...)
> I think the market will dictate what is needed.
Not sure about that one....You design and define the SPECS and you are
the one who should take care of this! If there is a hole in the network
(and supposedly it gets adopted a lot), then this hole will be
exploited...Now you have a responsibility here, because as I said
earlier, access is not to *one* forum, but might be to hundreds of
thousands of sites...Think about this! You have to provide a robust and
secure standard - taking adoption time into account - will be used for
years to come!
Now, why browsers today offer anti-pishing tools included in their
software? Because the user is not able to look at the address bar, check
the frames and iFrames? Exactly....the same is true for a user to judge,
if this or that site is now secured or should be secured...There is
enough confusion for some of the population making use of the Internet -
they can't make a decision every time, sometimes they don't even know
what to decide! It's you, who should take care of this...This is my
argumentation!
> -- Dick
All the discussions and suggestions are made by me in good faith and I
don't mean anything personal (So if I write the word "you", this doesn't
mean you personally, but whoever is involved). I hope, that my input is
going to be helpful!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/40c05b24/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/40c05b24/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/40c05b24/attachment-0002.bin>
More information about the general
mailing list