security

[Dick Hardt]

I don't think we are ignoring security in OpenID, or to expect to be  
adding it in later.

A transaction is only as secure as it's weakest link, and there are  
always tradeoffs.

We did not want a one-size-fits-all approach.

Perhaps we can discuss this from another point of view. Why should I  
need SSL on a blog I am writing a comment on when all the data I  
provide the blog will be published and public anyway? An attacker is  
not going to see anything more on the HTTP connection then they would  
on the blog?

On 22-Oct-06, at 6:09 PM, Alaric Dailey wrote:

> I think I have to agree with James and Eddy.
>
> If it is secured from the beginning, you don't have to retrofit it  
> later.  I
> believe that it was Bruce Schneier that said something to the  
> effect of
> 'security is next to implement properly after the fact'.  As a  
> programmer I
> have found this to be VERY true.
>
> Security is almost never boolean, you can only make it as secure as
> possible. From my standpoint, in this day and age, every thing  
> should be as
> secure as possible.  Just to demonstrate this point, the very first  
> thing I
> do when installing a new copy of Windows is install the NSA  
> security policy.
>
> Secure it as best as possible, and you have less to fix later, it's  
> easier
> to close small holes than big ones. Finally it's much easier to make a
> change to a pending standard than it is to an existing standard.
>
>
> Basically, if you need security at all, you need it everywhere.   
> Which bit
> of information should an attacker pay more attention to, the 1  
> encrypted
> message amongst hundreds or thousands of unencrypted messages, or  
> try to
> pick 1 of message of thousands of encrypted messages to attack.
>
>
>
>
> -----Original Message-----
> From: Recordon, David [mailto:drecordon at verisign.com]
> Sent: Sunday, October 22, 2006 5:24 PM
> To: Alaric Dailey; Dick Hardt; general at openid.net
> Subject: RE: security
>
> Alaric,
> I think both you and Dick are right.  Don't get me wrong, security  
> is very
> important to see anything like OpenID be adopted.  I think the  
> point Dick is
> trying to make is that security needs to scale depending on  
> context, or at
> least that is the point I'd try to make.
>
> Starting with 2.0, or 1.2 whatever we end up calling it, I  
> personally would
> not use an Identity Provider which does not both host my identifier  
> and it's
> server endpoint via a valid SSL certificate.  There are however use  
> cases
> where SSL is not required, running OpenID solely on an intranet for  
> example,
> but for the majority of cases SSL is highly recommended which I  
> think the
> spec makes clear.  If it doesn't, please let us know!
>
> So I don't think security is binary, IMHO what is important is that  
> the spec
> makes it clear where the weaknesses are, how to protect them, and  
> recommends
> the use of things like valid SSL certificates for the entire  
> protocol flow.
>
> --David
>
> <snip/>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>