[OpenID] Reconsidering http://openid different from https://openid

Pat Patterson Andrew.Patterson at Sun.COM
Fri Sep 21 17:04:06 UTC 2007 

Doesn't this loop back to 
http://identityblog.burtongroup.com/bgidps/2007/09/what-is-openid-.html ?

The lack of a formal problem statement/requirements means that, to a 
certain extent, we are all just stumbling about in the dark, bumping 
into each other, rather than converging on a specific goal.

Cheers,

Pat

Paul C. Bryan wrote:
> Well put. +1!
>
> If there were general consensus by the OpenID development and deployment
> communities that OpenID should be strictly limited to being a
> replacement to email verification, I certainly wouldn't quarrel so much
> with such attempts at making it more intuitive at the expense of
> security.
>
> Paul
>
> On Fri, 2007-09-21 at 08:11 -0500, Christopher St John wrote:
>   
>> On 9/20/07, Paul C. Bryan <email at pbryan.net> wrote:
>>     
>>> I believe the question should be framed around what solution can be
>>> (primarily) secure and (secondarily) intuitive.
>>>
>>>       
>> I think the disconnect is the assumption that OpenID should be secure
>> against every conceivable form of attack and appropriate for the most
>> sensitive financial transactions.
>>
>> It's not.
>>
>> It's a widely applicable but very simple and limited replacement for
>> those stupid email verification thingies. As such, it's more important
>> that it be intuitive than ultimately secure.
>>
>> If you need the former, then Oasis has some technology for you. It's
>> pointless to try and reinvent it here.
>>
>> Limiting the scope makes it possible to ignore lots of hard
>> problems.
>>
>> For example, I suspect that the DNS attack is a red herring. If you
>> had control of someone's access to DNS you could do much
>> evil-er things than mess with their OpenID. And the fact that their
>> OpenID is a relatively low-value target (compared to bank logins)
>> makes it less likely to be attacked.
>>
>>
>> -cks
>>
>>     
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-- 
Pat Patterson - pat.patterson at sun.com
Federation Architect,
Sun Microsystems, Inc.
http://blogs.sun.com/superpat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070921/4d950d16/attachment-0002.htm>

More information about the general mailing list