Solution
James A. Donald
jamesd at echeque.com
Tue Oct 24 23:47:17 UTC 2006
--
> > 4. require ssl for IdPs for logon pages etc...
Dan Lyke wrote:
> I'd strongly object to this for one specific reason:
> It slows the adoption of other systems for the user to
> assert their identity to their IdP, key cards,
> biometrics, whatever, that happen through browser
> enhancements. Yes, that information should be
> encrypted, but requiring SSL as the mode of
> communication seems like it's locking people in to
> potentially non-optimal solutions.
SSL based on verisign certificates is slow, costly, and
a real bastard to install.
Of course that is the secure identity system for domains
that we have right now, and if you are building
individual identity on top of domain identity you need
some secure system for domain identity - but if you are
building an identity system, you should perhaps consider
providing identity for domains as well.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Pa2LxSi000itSGMS9r6MAjAm3njdXaKThUdM/8Sy
456HZwe6LPaoKGrNIa7jDuzQ38hj4enzvpu8YcJ/N
More information about the general
mailing list