[OpenID] Secure attribute transmission

[Nate Klingenstein]

Andrew,

Absolutely, and in some situations that argument would be valid.   
Depends what you're trying to protect.  We worry principally about  
student data because we're custodians of that information and take  
our (FERPA) duty seriously.  It's a bigger issue for me than a  
compromised machine snooping courseware, to cite a common  
application.  I'm not sure how EU privacy laws would be interpreted  
here.

In other environments, the servers and their data are definitely more  
sensitive than personal data.  These environments tend to have strong  
authentication and closed networks.  Other networks can afford to be  
more open and expediency is favored.

The protocol could support many choices, but that complicates  
development and deployment.  Which environment(s) does OpenID want to  
live in, and what does that imply here?  I'd use that to inform  
choices here (and on a security committee, if convened).

Thanks for your deep consideration,
Nate.

On 3 Aug 2008, at 23:59, Andrew Arnott wrote:

> Very good point, Nate.  I hadn't considered #2.  Although one might  
> argue that once spyware is on the computer, all confidentiality  
> bets are off period anyway.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080804/6179c8e5/attachment-0002.htm>