security

Sun Oct 22 20:53:13 UTC 2006

Dick Hardt wrote:
> It would be your URL, which likely will be private, and likely would
> be contained in content moved from the site later on insecure anyway
> even if login was SSL.
Well, isn't this the issue here? Or maybe I misunderstood something, but
that's exactly the point...If there can be mixed (secured and unsecured)
sites in this decentralized network, than SSL on one site might mean
nothing...?
> Your opinion is not shared by the site operators and their users. Why
> should everyone operate according to how you think things should
> happen? As a user, you have a choice not to use those sites. Why are
> you wanting to force your values on others?
OK, lets get this strait: It's not MY values, but the formation of a
standard. I don't force anybody anything, but would like to see, that
the standard you are going to create, adopts certain requirements, so it
can be useful...I thought, this is an opportunity to influence things.

But to the real beef: You are building a standard and you must decide
how certain things should be...otherwise why bother to create a standard
in first place...The definition says: http, https, xri ....Why are you
forcing operators and users to limit the transport protocol to this
three? What if a operator wants to use something else? Why should
everyone operate according to how you think things should happen and use
either http, https or xri?

Because you made a decision on this, right? The very same way you (the
community) can make a decision to require https...Hope you get my point
on this...
> This is like saying that all websites should use SSL and we should
> stop allowing HTTP because it is insecure. Where would the web be if
> all sites had to run SSL to start off with?
Guess, the Internet would be a much better place ;-)
> These are not issues that have not been discussed in depth before.
> Appreciate your feedback, but this is actually not the main security
> issue. Adding SSL is pretty straight forward, and a site will decide
> to use SSL in the same manner that they decide to use SSL today.
Exactly....and because it's already here, common and easy to implement,
why not use it? No need to reinvent the wheel....in return you receive a
much stronger network...Generally speaking, a SSL secured network is
better than plain text, removes/reduces MITM attacks etc...If OpenID
should be anything serious one day, than I can't image anything else
than a minimal set of such requirements....

-- 
Regards

Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/542a85b0/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/542a85b0/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061022/542a85b0/attachment-0002.bin>