security

[Chris Drake]

MA> not something I'd want to inflict on
MA> all relying parties, and an unreasonable burden on early
MA> adopters..

OpenID's a *library* - if you can't install an SSL cert, you've got
utterly zero chance of figuring out how to install OpenID.  (Vanity
URL owners don't *install* OpenID)

Security is a MUST.  "Multiple Levels" is shorthand for "won't ever
happen": how many people here use POP3s or IMAPs or even SMTP+TLS ?

Kind Regards,
Chris Drake


Wednesday, October 25, 2006, 3:34:31 AM, you wrote:

MA> Chris Drake wrote:
 >>
>> It's not *really* a pain either - paste your CSR and credit card into
>> ipsca, and $38 + 1 minute later - you're trusted.
>> 

MA> You have a cert, but now you have to figure out how to use that cert
MA> with whatever service you're trying to run. The first time I set up SSL
MA> in Apache I lost an hour of my life trying to figure this out.

MA> Additionally, it's not possible for many people to deploy SSL on their
MA> own sites because they are hosted on a third-party server with no access
MA> to the configuration to add an SSL cert and sharing an IP address with
MA> possibly hundreds of other sites.

MA> So yes, SSL *is* a pain for various reasons. Pain I'd expect any 
MA> reputable IdP to go through, but not something I'd want to inflict on
MA> all relying parties, and an unreasonable burden on early adopters who
MA> are just setting up a vanity identity URL for the fun of it.


MA> _______________________________________________
MA> general mailing list
MA> general at openid.net
MA> http://openid.net/mailman/listinfo/general