OpenID security
Hans Granqvist
hgranqvist at verisign.com
Tue Oct 24 16:23:27 UTC 2006
To be adopted by many, a protocol should be usable to many.
Some services and people require less stringent security than
others. Some services and people require more. And some people
and services don't really care either way.
One way to handle all these requirements in a protocol is to:
1. specify multiple levels of security,
2. specify a way to agree on a level, and
3. specify how to enforce that level
A while back I drafted some security profiles [1] that deals
with (1.) and (2.) The enforcement (3.) is difficult to
mandate on the OpenID protocol level, but could be handled by
IDP and RP applications.
I realize these profiles are not complete, but I think they
are a reasonable starting point for our discussion.
-Hans
[1]
http://openid.net/specs/openid-authentication-2_0-security-profiles-01.html
More information about the general
mailing list