security

[Dick Hardt]

On 22-Oct-06, at 1:53 PM, Eddy Nigg (StartCom Ltd.) wrote:

> Dick Hardt wrote:
>> It would be your URL, which likely will be private, and likely  
>> would be contained in content moved from the site later on  
>> insecure anyway even if login was SSL.
> Well, isn't this the issue here? Or maybe I misunderstood  
> something, but that's exactly the point...If there can be mixed  
> (secured and unsecured) sites in this decentralized network, than  
> SSL on one site might mean nothing...?

Mixing them does make sense. I provide my username and password to my  
IdP over SSL. The results of that are an assertion that I own a URL  
and that can be sent to the RP over HTTP since my URL is not sensitive.

>> Your opinion is not shared by the site operators and their users.  
>> Why should everyone operate according to how you think things  
>> should happen? As a user, you have a choice not to use those  
>> sites. Why are you wanting to force your values on others?
> OK, lets get this strait: It's not MY values, but the formation of  
> a standard. I don't force anybody anything, but would like to see,  
> that the standard you are going to create, adopts certain  
> requirements, so it can be useful...I thought, this is an  
> opportunity to influence things.

it is, and I am trying to say that other people have different  
opinions then you, and I am not going to force them to do something  
they don't want to do -- actually, we won't be able to force them,  
they will just not adopt the protocol

>
> But to the real beef: You are building a standard and you must  
> decide how certain things should be...otherwise why bother to  
> create a standard in first place...The definition says: http,  
> https, xri ....Why are you forcing operators and users to limit the  
> transport protocol to this three? What if a operator wants to use  
> something else? Why should everyone operate according to how you  
> think things should happen and use either http, https or xri?


>> These are not issues that have not been discussed in depth before.  
>> Appreciate your feedback, but this is actually not the main  
>> security issue. Adding SSL is pretty straight forward, and a site  
>> will decide to use SSL in the same manner that they decide to use  
>> SSL today.
> Exactly....and because it's already here, common and easy to  
> implement, why not use it? No need to reinvent the wheel....in  
> return you receive a much stronger network...Generally speaking, a  
> SSL secured network is better than plain text, removes/reduces MITM  
> attacks etc...If OpenID should be anything serious one day, than I  
> can't image anything else than a minimal set of such requirements....

I think we are going in circles here. I have explained why not  
require it. A security gradient is important so that sites can tap  
into what they need, not forced into doing things they do not need/want.

-- Dick