security

[Alaric Dailey]

I posted the solution yesterday, AND stated that it didn't require an RP to
have SSL.

Mind you I wasn't super specific, especially about the "tokens", I am a
programmer, but I don't deal with web-sites, mostly webservices and client
server. So, I am not sure if you are using cookies, and if so what the
limitations of cookies are, I have people for that.

But my understanding is that I could something like a sign bit of XML data
in the cookie to state the users id, that they are validated, when the logon
ticket needs to be renewed etc. Including a digital signature of that data
so that it may be validated by the RP. 

This premise would 100% resolve any possible spoof.

Kerberos has already adressed SO many of these issues

http://www.isi.edu/~brian/security/kerberos.html

No I am not saying OpenID should be based on it, but it certianly is worth
learning from.

Furthermore ALL data transfer should be encrypted, end of story.

 

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Scott Kveton
Sent: Tuesday, October 24, 2006 7:16 PM
To: general at openid.net
Subject: Re: security

 >> OpenID's a *library* - if you can't install an SSL cert, you've got
>> utterly zero chance of figuring out how to install OpenID.  (Vanity 
>> URL owners don't *install* OpenID)
>> 
>> Security is a MUST.  "Multiple Levels" is shorthand for "won't ever
>> happen": how many people here use POP3s or IMAPs or even SMTP+TLS ?
>>   
> +1 Amen! 

Eddy, Chris, James, Alaric: I appreciate that you have concerns with
possible security issues with OpenID.  I'd _really_ appreciate some possible
solutions.  Its easy to cast stones ...

Let's keep the focus here on helping make OpenID the solution that solves
the single sign-on problem.  That's what this list is for.

- Scott

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general