[OpenID] Fwd: [OpenID Foundation] New Poll Opened

[Martin Atkins]

Eddy Nigg (StartCom Ltd.) wrote:
> On 03/21/2009 01:27 AM, Martin Atkins:
>>
>> The original OpenID was designed to operate without SSL at all, with 
>> parties establishing associations on the fly with no verification, and 
>> it remains that way today on LiveJournal.com. Some folks wanted the 
>> benefits that SSL brings, and that's fine... no-one's forcing you to 
>> use SSL right now. I fought SSL being a requirement for OpenID 2.0 and 
>> I will continue to fight it as I believe it should be up to each party 
>> to decide whether it needs the benefits SSL provides.
>>
>>
> 
> Clearly the major OPs decided already that they need the security and 
> protection SSL offers. Why should we send SREG and other data around in 
> plain text? For which benefit exactly? Why does OpenID has to align with 
> a handful of anti-PKI proponents serving a handful of users, instead of 
> creating a strong specification useful for the vast majority serving 
> millions of user authentications and data?
> 

Nothing I transmit over SREG is a secret, so I personally don't care 
about that particular information being in cleartext.

What I care about (and why I ended up picking a provider that uses SSL 
despite it not being a strong requirement for me) is secure 
(non-phishable) authentication. I use SSL client certs to authenticate 
to my OP.

The vanity OpenID identifier I use is not SSL, but I use it only for 
low-value transactions and so I don't care. When I want to do something 
higher-value,# -- which, right now, is rare -- I use the SSL identifier 
provided by my OpenID provider.

It is not worth the effort to me to set up SSL for my vanity identifier 
that I use to leave comments on blogs and sign in to stupid social websites.

The current spec does not say that you must NEVER use SSL, it leaves 
that decision up to the parties involved. Many parties have chosen to 
use SSL because they consider the benefits it brings to be valuable, and 
that's fine.