security

[Chris Drake]

Hi Josh/Dan/Martin/Etc,

No "Users" need to install SSL - only all RPs and IdPs

Beside the plain fact that it's criminally irresponsible to handle
identity information without protecting it - absolutely zero reputable
RPs will ever adopt OpenID if they discover it only operates in
insecure mode, and a good proportion of existing responsible OpenID
sites will pull it down when they too notice this critical omission.

I'm not interested in contributing to a standard that has no chance of
being adopted, and no interest in security.  *and* - for the record -
OpenID doesn't yet have a mechanism for single-sign-on.  Having to
re-key my username on every new site I visit is not *my* idea of
"single".  RP's expect OpenID to do what it says - eg - SSO - they are
not going to be pleased to have to roll their own SSO after they
realize that OpenID doesn't do it...

Kind Regards,
Chris Drake


Wednesday, October 25, 2006, 10:22:37 AM, you wrote:

JH> On 10/24/06, Chris Drake <christopher at pobox.com> wrote:
>> OpenID's a *library* - if you can't install an SSL cert, you've got
>> utterly zero chance of figuring out how to install OpenID.  (Vanity
>> URL owners don't *install* OpenID)

JH> They don't have to install a library or write an application. They
JH> only have to sign up for an account with an IdP and insert one line of
JH> markup into a page that they want to use as an identifier.

JH> If SSL is required, then they have to also get a certificate and get
JH> whoever is hosting their vanity domain to install and activate it.

JH> Josh