[OpenID] Backwards Compatibility

[SitG Admin]

>>I'd like to remove the requirement for SSL enabled OPs to support 
>>DH. Are there any OPs that don't support HTTPS?
>
>Of course.  But perhaps the useful question could phrased "are there 
>any OPs that don't support HTTPS that people would cry about not 
>working any more?"

Definitely! Individuals running their own OP's who don't care about 
security (because they only use it for leaving comments, and other 
low-value purposes), but *do* care about privacy (not giving *any* 
third party information about their OpenID activity on the web), and 
can't afford to use website hosts that provide SSL.

(Note that "can't afford to use" doesn't just mean "free as in beer", 
here; if the providers require registration information that the 
user, for privacy reasons, will not divulge, they cannot afford to 
use that provider's services. It's simple logic, albeit of the sort 
that seems to flee users' minds whenever faced with an SLA for 
software.)

Perhaps the use of SSL could be added into the minimum assurance 
levels area of the spec, so that users who insist on using OpenID but 
refuse to use a SSL-enabled OP will simply be unable to achieve any 
level of assurance beyond the very lowest? Sufficient for comment 
spam and the like, so OpenID still has *some* use to end-users.

-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090317/a24204f6/attachment-0002.htm>