security
Josh Hoyt
josh at janrain.com
Wed Oct 25 18:32:33 UTC 2006
On 10/25/06, Chris Drake <christopher at pobox.com> wrote:
> >> No "Users" need to install SSL - only all RPs and IdPs
>
> JH> If the user uses a URL identifier of his own, the security of their
> JH> authentication is only as good as the security of their identifier
> JH> URL, because this is how the IdP is discovered. Thus, if SSL is
> JH> required for IdPs and RPs, it will be required for any user who brings
> JH> their own URL identifier.
>
> JH> Josh
>
> We all *know* that - and how/where users host vanity domains is out of
> scope anyhow: if a user needs security - they can use SSL - BUT -
> ***ONLY** if OpenID itself MUST use end-to-end SSL in the first place.
I was merely disagreeing with your statement that 'No "Users" need to
install SSL'. Do you agree that if the protocol requires SSL then
users WILL have to install it for their identifier URLs?
Josh
More information about the general
mailing list