security

Alaric Dailey alaricdailey at hotmail.com
Tue Oct 24 12:24:51 UTC 2006 

Actually if we stop and think about what I am getting at... I am not talking
about forcing a user to download and install WikID or buy a smartcard.  The
things I am stating are changes to the back end, site to site communications
and the securing of the tokens for the most part.

These are the things that will make or break decisions about whether or not
this system could EVER be used when meeting compliance with Sarbanes-Oxley
(Sox) or HIPPA are involved. In both Sox and HIPPA environments SSH and SSL
are common because FTP and every other unencrypted means of communications
(except FAX for some STUPID reason) are strictly banned.

So for widespread acceptance SSH tops the list in my eyes, of things that
were designed to be secure with the hundreds of thousands of TOR nodes
coming close to if not exceeding SSH. Even if SSH had problems to start
with, it was designed to be secure.

Yes I am talking about products that normally only technical people use, but
that was the premise of the thought in the first place. No one should ever
expect a user to have to figure out how to use these things themselves.
Look how much trouble people have with simple password authentication, and
the only truly widespread dumber-than-rocks-user accepted 2 factor
authentication system I have ever heard of is ATM cards.



 

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of James A. Donald
Sent: Tuesday, October 24, 2006 5:26 AM
To: general at openid.net
Subject: Re: security

 > Ssh v1 was a mess in terms of security from the start.
 > v2.0 is much better.

True, but it could not have been much better if SSH had not been designed
from the beginning to be secure, unlike telnet.

 > I wouldn't put any of these in the "got wide-spread  > adoption"
category.

SSH has widespread adoption, having pretty much wiped out telnet.  If you
take the attitude that software has to be compatible with people who do not
need security, no one will have security.  It is the people who do not need
security who have to be compatible.  You probably find yourself using SSH
whether you need security or not.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list