security

[Martin Atkins]

James A. Donald wrote:
> 
> So on reflection, we do have to support multiple levels
> of security - but this creates problems, which must be
> solved.
> 
> It is intolerable if this endangers the guy whose
> identity is
> https://www.bankamerica.com/finance/transactions/vp.htm
> 

I can't think of any situation where one person's unsecured identifier 
could compromise any other identifier, secured or otherwise. Whether to 
encrypt your identifier URL is a personal decision with personal 
repercussions: it doesn't (unless I'm missing something) make any 
difference to anyone else. [1]



[1] Except, perhaps, an RP that ends up being liable as a result of some 
identity theft, but we've already established that particular RPs MAY 
refuse to accept unsecured identifiers if they suffer such risks, and if 
that isn't enough (that is, you absolutely need to identify the actual 
human behind the identifier for some reason) then you should probably be 
using a stronger identity mechanism than OpenID.