<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Josh Hoyt wrote:
<blockquote
cite="mid34714aad0610201227n7701978ay305d652a4a912c37@mail.gmail.com"
type="cite">On 10/20/06, <b class="gmail_sendername">Alaric Dailey</b>
<<a href="mailto:alaricd@pengdows.com">alaricd@pengdows.com</a>>
wrote:
<div><span class="gmail_quote"></span>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">Is SSL going to be required
(to protect the users data en-route)? </div>
</blockquote>
<div><br>
It is going to be strongly encouraged, but not required. The reality of
the situation is that not every site wants to pay for or can afford an
SSL certificate,</div>
</div>
</blockquote>
There are free SSL certs available from several sources, the most
accepted of which is StartCom. ( <a class="moz-txt-link-freetext" href="http://cert.startcom.org">http://cert.startcom.org</a> ). An
interesting side note is that SSL is being tossed about as a
requirement for joining the Jabber Federation ( <a class="moz-txt-link-freetext" href="http://www.xmpp.net">http://www.xmpp.net</a> ),
and they are using a startcom ssl cert.<br>
<br>
If you don't like free, try < $10 from Registerfly (
<a class="moz-txt-link-freetext" href="http://www.registerfly.com/ssl/">http://www.registerfly.com/ssl/</a> ) .<br>
<br>
Therefore COST is not a valid excuse for bypassing SSL. <br>
<blockquote
cite="mid34714aad0610201227n7701978ay305d652a4a912c37@mail.gmail.com"
type="cite">
<div>
<div> and there are many valid scenarios in which that level of
protection is not necessary. </div>
</div>
</blockquote>
<br>
I know that as a conciesncus user, I won't use a system that doesn't
protect my data en-route. <br>
<br>
<blockquote
cite="mid34714aad0610201227n7701978ay305d652a4a912c37@mail.gmail.com"
type="cite">
<div>
<div>Making a comment on a blog, posting to a message board, or
getting access to family photos are all scenarios in which I expect
that SSL might not be available.
<br>
</div>
</div>
</blockquote>
<br>
The moment you pass users data, it should be encrypted, even if SSL
isn't the choice, for all I care it could be done via PGP emails. Even
if you don't want the protection of encryption, you NEED the data to
be signed to prevent data being modified en-route.<br>
<br>
<blockquote
cite="mid34714aad0610201227n7701978ay305d652a4a912c37@mail.gmail.com"
type="cite">
<div><br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">DNSSEC to validate the DNS
hasn't been modified?</div>
</blockquote>
<div><br>
Same argument as above, except that DNSSEC is not widely used, so
requiring it would set the bar even higher. I think it would be great
for support of DNSSEC to be wider, but requiring it would harm
adoption, especially for community sites, personal sites, and other
non-commercial communities.
</div>
<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">Has anyone thought about this?</div>
</blockquote>
<div><br>
</div>
</div>
yep :)<br>
</blockquote>
Requiring DNSSEC might be stiff, but it would be a good idea,
especially for "authoritative" servers.<br>
<br>
<blockquote
cite="mid34714aad0610201227n7701978ay305d652a4a912c37@mail.gmail.com"
type="cite"><br>
The specification will enumerate the trade-offs for using or not using
different security technologies, and leave the decision up to
implementers. Hans from VeriSign has designed security profiles for
OpenID implementations.
<br>
<br>
Basically, the idea is that the user (with the IdP and RP's help) will
make decisions on what is secure enough while adoption is still taking
place, and eventually, there will be enforceable levels of security.<br>
<br>
Josh<br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<title>Pengdows eMail Signature</title>
<meta http-equiv="Content-Type" content="text/html; ">
<meta http-equiv="Content-Language" content="en-us">
<table border="1" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td>
<table style="border-color: rgb(0, 75, 26); height: auto;"
border="1" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="3" style="width: 414px;">
<table style="background-color: rgb(0, 75, 26);"
cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td
style="text-align: left; vertical-align: top; white-space: nowrap; width: 185px;">
<div style="color: White;"> <b>Pengdows, Inc.</b></div>
</td>
<td
style="text-align: right; vertical-align: top; white-space: nowrap;">
<div style="color: White;"> Everyone deserves privacy.</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="4"
style="clear: none; display: inline; float: left; visibility: visible; width: 414px;">
<table style="border-style: none; width: 100%;">
<tbody>
<tr>
<td style="vertical-align: middle; text-align: left;">
<a href="http://www.pengdows.com"> <img
style="border-style: none; text-decoration: underline; position: relative;"
src="cid:part1.00090808.08050308@pengdows.com" alt="Pengdows, Inc."></a></td>
<td> Alaric Dailey - President
<div style="font-size: x-small;">
<ul>
<li><a href="http://www.startssl.org">StartCom ‘Web
of Trust’ Member</a> </li>
<li><a
href="http://www.thawte.com/secure-email/web-of-trust-wot/index.html">Thawte
‘Web of Trust’ Notary </a></li>
<li><a href="http://www.nationalnotary.org/">Notary
Public and NNA member</a> </li>
<li><a href="http://www.cacert.org/wot.php?id=3">CAcert
‘Web of Trust’ Assurer</a></li>
</ul>
</div>
</td>
<td style="vertical-align: middle; text-align: right;">
<a href=""> <img
src="cid:part2.09030801.08010102@pengdows.com"
alt="National Notary Association Member"
style="border-style: none; text-decoration: underline; position: static;"></a>
<div
style="text-align: left; font-size: smaller; list-style-position: inside; list-style-type: square; white-space: nowrap;">
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr align="left">
<!-- bordercolor="#004B1A"--> <td colspan="3">
<div style="font-size: xx-small;">
<div
style="color: rgb(255, 0, 0); font-style: normal; font-family: Serif; font-variant: normal;">
ATTENTION USERS OF MICROSOFT OUTLOOK AND MICROSOFT OUTLOOK EXPRESS:</div>
Some versions of these products have trouble replying to digitally
signed emails, like this one.<br>
For more information on this error, and how to fix it please visit Mark
Nobles website <a
href="http://www.marknoble.com/tutorial/smime/smime.aspx">here</a>.<br>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div style="font-size: small;"> Having trouble validating the digital
signature? <a href="http://cert.startcom.org/?app=109"> Install the
Certification Authority</a><!-- --> </div>
</div>
</body>
</html>