<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META content="MSHTML 6.00.5730.11" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=383092019-23102006>ok maybe I throw out my idea for solving
these problems.</SPAN></DIV>
<DIV><SPAN class=383092019-23102006></SPAN> </DIV>
<DIV><SPAN class=383092019-23102006><FONT face=Arial size=2>1. require SSL for
any data transfer from IdP to RP ( assuming data isn't going the other
way)</FONT></SPAN></DIV>
<DIV><SPAN class=383092019-23102006><FONT face=Arial size=2>2. sign or encrypt
the logon token (however or whereever it is stored)</FONT></SPAN></DIV>
<DIV><SPAN class=383092019-23102006><FONT face=Arial size=2>3. expire the logon
after a certain period of time ( )</FONT></SPAN></DIV>
<DIV><SPAN class=383092019-23102006><FONT face=Arial size=2>4. require ssl for
IdPs for logon pages etc...</FONT></SPAN></DIV>
<DIV><SPAN class=383092019-23102006><FONT face=Arial size=2>5. Heavily recommend
that IdP's use</FONT></SPAN></DIV>
<UL>
<LI><SPAN class=383092019-23102006><FONT face=Arial
size=2>DNSSec</FONT></SPAN></LI>
<LI><SPAN class=383092019-23102006><FONT face=Arial size=2>Salted passwords
with strong hashing algos (ie NOT MD5 or SHA1)</FONT></SPAN></LI>
<LI><SPAN class=383092019-23102006><FONT face=Arial size=2>locked down systems
(patches, AV, firewalls, etc)</FONT></SPAN></LI></UL>
<DIV><SPAN class=383092019-23102006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=383092019-23102006><FONT face=Arial size=2>Thus RP's do not
require an SSL cert, and data can be trusted, and it could be proven that it has
not been modified.</FONT></SPAN></DIV>
<DIV><SPAN class=383092019-23102006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=383092019-23102006><FONT face=Arial
size=2></FONT></SPAN> </DIV></BODY></HTML>