OpenID security

[Eddy Nigg (StartCom Ltd.)]

Hans Granqvist wrote:
> To be adopted by many, a protocol should be usable to many.
>
> Some services and people require less stringent security than
> others. Some services and people require more. And some people
> and services don't really care either way.
>   
The user shouldn't be involved in security related decisions at all. It
should just work and be secure (in my opinion). The same goes for PR's
and to some extend even IDP's. If a PR can't configure a SSL server (as
suggested by someone), than the same PR shouldn't have choices either,
but run by default in "secure mode" or not run it at all....
> A while back I drafted some security profiles [1] that deals
> with (1.) and (2.)   The enforcement (3.) is difficult to
> mandate on the OpenID protocol level, but could be handled by
> IDP and RP applications.
>
> I realize these profiles are not complete, but I think they
> are a reasonable starting point for our discussion.
>   
Very interesting...Is this going to be part of the 2.0 specs (or
whatever it is going to be), or is this an optional extension really?

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061024/2a903c9c/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061024/2a903c9c/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061024/2a903c9c/attachment-0002.bin>