[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

[Peter Watkins]

On Fri, Jan 02, 2009 at 11:08:39AM +0200, Martin Paljak wrote:

> In real life most end user software do not check for the status of a  
> certificate (CRL/OCSP)

I suspect that claim is not true. IE7 on Vista and Firefox 3 default
to using OCSP -- for instance, by the time I followed the recipe for
the www.mozilla.com demo of the cert that never should've been issued,
Firefox 3's OCSP check rejected it.

> I second here the questions often raised about CA-s by Peter Williams,  
> but the community has managed to subtly ignore the topic. "If there is  
> a problem (which we don't believe there is) then this is for the PKI/ 
> TLS/HTTPS guys to fix", "Just pay to a big company for your certs",  
> "Apparently we use whatever CA certificates Debian uses" are all signs  
> of delegating the problem somewhere else.

And why not delegate? TLS is a bedrock security technology for current
Web business -- from a simple Yahoo storefront to millionaires accessing
their online brokerage accounts. A lot of business have a lot riding on
TLS and https, and a lot of incentive to fix any problems. And we've seen
them do just that. It's not perfect (I'm still peeved that Microsoft has
effectively blocked attempts to give TLS RSA decent forward secrecy), but 
TLS is widely understood to be critically important, and people more 
influential than us, and smarter than me, are working on this stuff -- the 
improved OCSP support in Firefox and IE7 being a good illustration. 

> In addition to "lets just do what everybody else is doing" OpenID
> could provide additional mechanisms. I once suggested having a
> separate configuration file and format for RP libraries to be able to
> configure white/blacklists and OP certificates/CA-s checksums and
> trust settings.

Nothing is stopping any RP from doing that. Shoot, that's what Microsoft's
HealthVault site has been doing for OpenID all along.

-Peter