OpenID security

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Oct 25 01:04:40 UTC 2006 

Hans Granqvist wrote:
>> A. It's not  complete
> What is missing?  (Please don't respond with the sections that
> are already specified as TBD.)
Nono...just stated the fact, that it's not completed yet and some parts
are marked as todo...That's OK!
>> B. It has a geeky approach (which is really OK), but I'd prefer a
>> clear cut model of security defined, i.e. only options which define
>> certain levels, but not unsecured ones
> I don't understand. Can you give an example on what you'd expect?
The possible options are some ten fields, which require answers from one
or both sides. This might be OK for me (you and a few others) and
provides flexibility, however I'm not sure, if it needs this flexibility
at all...Why not define ONE secured mode, known by all parties and be
done with it? More than that, the user who should care most about the
selections really, doesn't seem to have a say...

I really would say, that there should be only a secure or unsecured
model (preferable the unsecured one not being usable) and the settings
just should be defined, like:

1.) Yes
2.) No
3.) HTTPS / XRDS)
4.) No
(5. Yes)
6.) Yes
7.) DH-SHA1/DH-SHA256
......

If there would be only ONE definition, than you'd opt for the best
available one...The optional fields would be reduced to about two or
three perhaps...

> I want these profiles to be usable.
They are usable!
> Both the IDP and the RP can advertise adherence to specific profiles.
And who wins? I was afraid of that one...

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061025/014c0bc7/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061025/014c0bc7/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061025/014c0bc7/attachment-0002.bin>

More information about the general mailing list