security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sun Oct 22 22:34:46 UTC 2006
Dick Hardt wrote:
> Mixing them does make sense. I provide my username and password to my
> IdP over SSL. The results of that are an assertion that I own a URL
> and that can be sent to the RP over HTTP since my URL is not sensitive.
But home sites which are not using SSL are a problem...except that the
result of the assertion can be transfered in plain is just another one...
> it is, and I am trying to say that other people have different
> opinions then you, and I am not going to force them to do something
> they don't want to do -- actually, we won't be able to force them,
> they will just not adopt the protocol
Oh, that's a good one....: According to the current definition, my
company can be a homesite (also with certain risks), but never, ever can
provide login anywhere at the same companies own sites, since other
homesites might not be secured...Now I let you decide, which adoption
you are probably going to hurt most...Guess, that more serious companies
are simply not going to adopt it....
Looking at Verisign's PIP....Does Verisign also rely on it for login on
their sites? Without checking this out...I simply guess, that I can't
login anywhere are their sites using OpenID.....and right so!
> I think we are going in circles here.
It seems so...
> I have explained why not require it.
No....I didn't hear one valid argument which makes sense....except that
you don't want to force people adopt a standard like SSL....
On an other occasion you said, that this is not even the most critical
security issue you have to solve....So I wonder, why not solve at least
one of them....
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/35920754/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/35920754/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/35920754/attachment-0002.bin>
More information about the general
mailing list