security
Dick Hardt
dick at sxip.com
Mon Oct 23 20:22:43 UTC 2006
On 23-Oct-06, at 11:13 AM, Eddy Nigg (StartCom Ltd.) wrote:
> Dick Hardt wrote:
>> Eddy, I am not sure you understand how OpenID works. Provided
>> there is an SSL connection to the Homesite/IdP, none of that data
>> is compromised. No personal data is moved in the connection
>> between the user and the RP.
> Thanks for the flowers... :-) , but without getting into this much
> more in details ,a home site might store (and request) more than
> just the user name and password, but more personal details. The
> might be true for RP's as well. Once gained access, anything would
> be open to the "user"...SSL should give sufficient protection
> against sniffing and to a certain extend for MITM attacks...I never
> claimed, that personal data is moved (currently) between the user
> and RP...
In my example, I was logging into a blog providing only my blog URL
that was going to be displayed publicly.
Clearly if I am moving personal data that is sensitive, I would want
SSL to be used, and just like providing data to forms today, RPs use
SSL when the data is sensitive.
-- Dick
More information about the general
mailing list