[OpenID] [LIKELY_SPAM]Re: Windows Live ID Becomes an OpenID Provider

[Peter Williams]

So, if they support https URLs and their SSL server-endpoints require the client to use the null ciphersuite for integrity and encryption, would  you still be happy?

If they use American ciphers tailored for 1995-era spying (40bit RC4, say) will you be willing to use that, for OP discovery? If they use 512 bit RSA for the SSL endpoint authentication, will you accept it?

Having a policy such as "https" - without stating the ciphersuites, the strength of crypto andkeys, and the required trust fabric for key management - is meaningless.

The good part is, in OpenID, since the RP site is a server thread, and IT is in control of accepting the SSL ciphersuites during IDP discovery, unlike EC-SSL a few major RPs can easily drop those OPs whose proposed SSL ciphersuites don't meet national requirements, or refuse to present a (bridged) cert chain of a particular (say Denmark govt-licensed) cross-certifying CA.


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Peter Watkins
Sent: Tuesday, November 25, 2008 4:53 PM
To: Jorgen Thelin
Cc: general at openid.net
Subject: [LIKELY_SPAM]Re: [OpenID] Windows Live ID Becomes an OpenID Provider



(and fully
expect that we won't accept Live ID at all if the official provider
you launch next year doesn't support https).