security

[Chris Drake]

>> No "Users" need to install SSL - only all RPs and IdPs

JH> If the user uses a URL identifier of his own, the security of their
JH> authentication is only as good as the security of their identifier
JH> URL, because this is how the IdP is discovered. Thus, if SSL is
JH> required for IdPs and RPs, it will be required for any user who brings
JH> their own URL identifier.

JH> Josh

We all *know* that - and how/where users host vanity domains is out of
scope anyhow: if a user needs security - they can use SSL - BUT -
***ONLY** if OpenID itself MUST use end-to-end SSL in the first place.

Leave out SSL between the RP and IdP, and users can't get security,
not even if they do put SSL on their vanity domain.

Am I the only one who thinks this is a ridiculous discussion?  All
IdPs will have SSL to start with, and it's a no-brainer to set up for
RP's, and there's a gazillion benefits - so there really is NO excuse
trying to argue against SSL, both from a technical *and* a marketing
**and** an ethics point of view.

Kind Regards,
Chris Drake