On 10/20/06, <b class="gmail_sendername">Alaric Dailey</b> <<a href="mailto:alaricd@pengdows.com">alaricd@pengdows.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">Is SSL going to be required (to protect the users data en-route)? </div></blockquote><div><br>It is going to be strongly encouraged, but not required. The reality of the situation is that not every site wants to pay for or can afford an SSL certificate, and there are many valid scenarios in which that level of protection is not necessary. Making a comment on a blog, posting to a message board, or getting access to family photos are all scenarios in which I expect that SSL might not be available.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div bgcolor="#ffffff" text="#000000">
DNSSEC to validate the DNS hasn't been modified?</div></blockquote><div><br>Same argument as above, except that DNSSEC is not widely used, so requiring it would set the bar even higher. I think it would be great for support of DNSSEC to be wider, but requiring it would harm adoption, especially for community sites, personal sites, and other non-commercial communities.
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div bgcolor="#ffffff" text="#000000">
Has anyone thought about this?</div></blockquote><div><br></div></div>yep :)<br><br>The specification will enumerate the trade-offs for using or not using different security technologies, and leave the decision up to implementers. Hans from VeriSign has designed security profiles for OpenID implementations.
<br><br>Basically, the idea is that the user (with the IdP and RP's help) will make decisions on what is secure enough while adoption is still taking place, and eventually, there will be enforceable levels of security.<br>
<br>Josh<br>