security

[Chris Drake]

DH> It is not really an issue. Forcing all RPs to use SSL is like
DH> trying to make the whole web use SSL now. Not going to happen.

Solution: move the RP SSL support into the OpenID libraries?  RP sites
would then not need to roll out SSL web pages, or even have to think
about SSL at all - they just get it built-in when they download their
OpenID toolkit ?

DH> Why should I need SSL on a blog ...

Because whoever operates the blog deployed OpenID assuming it would be
secure - possibly because (as we saw demonstrated on this list
recently) they confused the concepts of "Identity 2.0" and the
unfortunately misleading 2.0 revision number of "OpenID 2.0"

Kind Regards,
Chris Drake