security
James A. Donald
jamesd at echeque.com
Thu Oct 26 07:50:55 UTC 2006
Eddy Nigg (StartCom Ltd.) wrote:
> Well...you seem to be right, that this is not defined in the OpenID
> standard, which is really another bad thing and perhaps it's time to
> correct this now. If the IPD implements a sloppy authentication facility
> (and data storage etc), than the relying parties are going to suffer
> from this. The RP can't know, which are the good or bad IDP's and
> therefore a standard and rules have to be implement,which define
> exactly, what adequate protection of the facility - protection of the
> transport protocol and so on, is....
Protocols should specify how the communicating parties should interact,
not how everyone in the universe should behave.
If the IDP has a bad logon process, the primary victim is the person who
chose the IDP, so the matter will correct itself.
Flexibility is dangerous - as Ipsec demonstrated, but so is trying to
dictate everything to everyone.
More information about the general
mailing list