[OpenID] Anybody here from MySpace?
Nat Sakimura
n-sakimura at nri.co.jp
Tue Jul 29 03:06:27 UTC 2008
Setting aside if it should be IETF, I really think we need to bolster up
the security of OpenID, such as defaulting to https through out
(including discovery). Security concern on OpenID is hindering the
adoption in the more serious applications.
I fully support the idea of having mid-term (18 months) Roadmap.
Is there a security committe or something like that in the community?
=nat
Johannes Ernst wrote:
> On 2008/07/27, at 10:28, Peter Williams wrote:
>
>> Ok. We need to get serious. Full throated use of OpenID2 by the
>> likes of MySpace - with its impact on core intenet engineering and
>> credibility - requires IETF-grade engineering (and its rather inane
>> - but effective - security review processes). In particular, we have
>> to have a sound plan for OpenID3 and 4... that needs cooperation
>> with IETF/IESG for the internet-relevant parts of OpenID.
>>
>> We just have to be doing something about securing discovery properly
>> for the scale envisioned, particularly in light of the IPV6 era.
>> There are lots of core topics: address discovery, service provider
>> edge re-addressing, and all the other realities of the mainstream
>> internet core.
>>
>> Whilst I feel in my gut that OpenID Forum needs to provide a
>> framework for web types to operate and do their thing on topics such
>> as persistent naming through name-value pairs and schema writing
>> (areas that IETF culture is typically really bad at), there are
>> areas of OpenID that belong in the mainstream IETF forum.
>>
>> Can you articulate this (independent) view to the Board for me?
>
> I can try. So far, I'm still trying to convince the other members of
> the board that having an 18-month plan (or whatever the timeframe) is
> a good idea, because we don't have one -- and in my view, it shows.
>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
More information about the general
mailing list