security

Dick Hardt dick at sxip.com
Mon Oct 23 01:12:27 UTC 2006 

On 22-Oct-06, at 3:34 PM, Eddy Nigg (StartCom Ltd.) wrote:

> Dick Hardt wrote:
>> Mixing them does make sense. I provide my username and password to  
>> my IdP over SSL. The results of that are an assertion that I own a  
>> URL and that can be sent to the RP over HTTP since my URL is not  
>> sensitive.
> But home sites which are not using SSL are a problem...except that  
> the result of the assertion can be transfered in plain is just  
> another one...

I agree Homesites not using SSL are a problem. I would never use one.  
As I mention in another response, if you can convince the other  
editors, SSL would be a requirement for an IdP.

Of course there is another SSL issue which is how  does the RP  
connect to the URL provided to bind it to the IdP.

>> it is, and I am trying to say that other people have different  
>> opinions then you, and I am not going to force them to do  
>> something they don't want to do -- actually, we won't be able to  
>> force them, they will just not adopt the protocol
> Oh, that's a good one....: According to the current definition, my  
> company can be a homesite (also with certain risks), but never,  
> ever can provide login anywhere at the same companies own sites,  
> since other homesites might not be secured...Now I let you decide,  
> which adoption you are probably going to hurt most...Guess, that  
> more serious companies are simply not going to adopt it....

Let's separate the IdP from the RP discussion.

I think non-SSL IdPs will be rare, and hopefully extinct. There are  
many really simple web apps that don't need SSL, and they should not  
be forced to use it.

>
> Looking at Verisign's PIP....Does Verisign also rely on it for  
> login on their sites? Without checking this out...I simply guess,  
> that I can't login anywhere are their sites using OpenID.....and  
> right so!
>> I think we are going in circles here.
> It seems so...
>> I have explained why not require it.
> No....I didn't hear one valid argument which makes sense....except  
> that you don't want to force people adopt a standard like SSL....

That is my reason!

> On an other occasion you said, that this is not even the most  
> critical security issue you have to solve....So I wonder, why not  
> solve at least one of them....

It is not really an issue. Forcing all RPs to use SSL is like trying  
to make the whole web use SSL now. Not going to happen.

-- Dick

More information about the general mailing list