security

[Alaric Dailey]

Or SMTP, or POP3 or IMAP or the failed SSL encryption that was built into 1
version of AIM.

Same story.


I should quote Bruce Schneier and Niels Ferguson, but I am too lazy to type
that much, read the last paragraph of page 4 from "Practical Cryptography".


-----Original Message-----
From: James A. Donald [mailto:jamesd at echeque.com] 
Sent: Monday, October 23, 2006 7:08 AM
To: Scott Kveton
Cc: Alaric Dailey; general at openid.net
Subject: Re: security

Scott Kveton wrote:
 > I'm not saying we shouldn't secure this technology.
 > Its absolutely critical.  However, I believe "simple  > and open" need to
come first to aid in adoption and  > more importantly for us to figure out
how users are  > going to use this technology.  There are lots of great  >
technologies out that are completely secure but  > utterly useless for
end-users.

Consider the story of SSH.

SSH has one mode, and that mode always secure.  Telnet had two modes,
regular telnet, and telnet over SSL.
Telnet over SSL was arguably as secure, in some important ways more secure,
than SSH, but no one every managed to get telnet over SSL working.  Everyone
always defaulted to the default (insecure) mode, and so everyone adopted
SSH, because it was a lot simpler to be secure over SSH, than to use a
protocol that was basically insecure, with security cumbersomely cobbled
onto it.