<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>RE: Re: SSL, DNSSEC and protected data enroute? (was Re: off topic -how many people use OpenID ?)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>I honestly didn't believe this over a year ago when I first met the VeriSign guys, but I just want to make it clear that VeriSign is not involved in OpenID with the goal of selling SSL certificates.<BR>
<BR>
>From a security perspective, self-signed certs can do a lot of what is needed for what OpenID is doing. At the same time, there really is value, even for OpenID, in a cert that chains up to a trusted CA.<BR>
<BR>
--David<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Eddy Nigg (StartCom Ltd.) [<A HREF="mailto:eddy_nigg@startcom.org">mailto:eddy_nigg@startcom.org</A>]<BR>
Sent: Friday, October 20, 2006 02:26 PM Pacific Standard Time<BR>
To: general@openid.net<BR>
Subject: ***SPAM*** Re: SSL, DNSSEC and protected data enroute? (was Re: off topic -how many people use OpenID ?)<BR>
<BR>
Jonathan Daugherty wrote:<BR>
> # Therefore COST is not a valid excuse for bypassing SSL.<BR>
><BR>
> I don't think that citing cheap certs is any justification for<BR>
> requiring it. And that is to say nothing about whether a CA is<BR>
> trusted.<BR>
> <BR>
Well, really the issue isn't the costs perhaps (it was given as a reason<BR>
why NOT to require a certain security standard), but the fact, that the<BR>
network you are trying to build can be too easy compromised maybe. But<BR>
this is not the compromise of one lonely site, it's all the sites<BR>
offering openid login...<BR>
<BR>
The investment to compromise a user login to a forum is perhaps not so<BR>
interesting for a hacker, but access to hundreds or thousands of sites<BR>
with various levels of information accessible to the (wrongful) user,<BR>
would be perhaps disastrous. Personally I thought, that I joined the<BR>
discussion very late, specially with the notable involvement of Verisign<BR>
at OpenID, but it seems, that there is still some work to be done ;-) In<BR>
my opinion, the https protocol is almost the logical requirement for<BR>
sites dealing with user login and other data...Therefore I agree, that<BR>
not the costs should be the justification for requiring SSL, but what's<BR>
at stake for the whole network.<BR>
<BR>
So the question was, what is done in order to protect this network and<BR>
how data has to be secured on transport and perhaps also on the systems<BR>
themselves!?<BR>
<BR>
--<BR>
Regards<BR>
<BR>
Signer: Eddy Nigg, StartCom Ltd.<BR>
Phone: +1.213.341.0390<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>