security

[Hans Granqvist]

James A. Donald wrote:
> Dick Hardt wrote:
>  > Hans has written a security profile proposal so that
>  > an RP would be able to decide if an IdP supported a
>  > level of security appropriate for a transaction.
> 
> Too damn many options for the end user to track - so the
> end user will not track them.  End users are hopelessly
> overloaded with security issues, and so cannot pay
> attention.

I agree on options generally being a bad thing . . .
. . . but why does the end-user need to track these options?

Surely, an end-user need not track what key exchange, data
transfer cipher, and message digest algorithms are negotiated
for an SSL session?

I see OpenID authentication quite similar in that respect.

The profile doc I drafted contains two levels of security,
'A' and 'B'.  The RP and the IDP can discover and adhere to
a level, if they so desire.  The level is not visible
to the end-user, who only sees current browser security
artifacts, for example the lock icon:  no need to learn
anything new.

> 
> Make it one mode and that mode secure.  Let us not have
> another repeat of the phishing crisis.
> 

OpenID covers the low to medium-high range of the security
spectrum.  If you want the high-end range, you should look
elsewhere, as OpenID's dependencies prevent it from reaching
that level!

Hans