<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Doesn't this loop back to
<a class="moz-txt-link-freetext" href="http://identityblog.burtongroup.com/bgidps/2007/09/what-is-openid-.html">http://identityblog.burtongroup.com/bgidps/2007/09/what-is-openid-.html</a>
?<br>
<br>
The lack of a formal problem statement/requirements means that, to a
certain extent, we are all just stumbling about in the dark, bumping
into each other, rather than converging on a specific goal.<br>
<br>
Cheers,<br>
<br>
Pat<br>
<br>
Paul C. Bryan wrote:
<blockquote cite="mid:1190388558.9568.32.camel@sidekick.local.host"
type="cite">
<pre wrap="">Well put. +1!
If there were general consensus by the OpenID development and deployment
communities that OpenID should be strictly limited to being a
replacement to email verification, I certainly wouldn't quarrel so much
with such attempts at making it more intuitive at the expense of
security.
Paul
On Fri, 2007-09-21 at 08:11 -0500, Christopher St John wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 9/20/07, Paul C. Bryan <a class="moz-txt-link-rfc2396E" href="mailto:email@pbryan.net"><email@pbryan.net></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I believe the question should be framed around what solution can be
(primarily) secure and (secondarily) intuitive.
</pre>
</blockquote>
<pre wrap="">I think the disconnect is the assumption that OpenID should be secure
against every conceivable form of attack and appropriate for the most
sensitive financial transactions.
It's not.
It's a widely applicable but very simple and limited replacement for
those stupid email verification thingies. As such, it's more important
that it be intuitive than ultimately secure.
If you need the former, then Oasis has some technology for you. It's
pointless to try and reinvent it here.
Limiting the scope makes it possible to ignore lots of hard
problems.
For example, I suspect that the DNS attack is a red herring. If you
had control of someone's access to DNS you could do much
evil-er things than mess with their OpenID. And the fact that their
OpenID is a relatively low-value target (compared to bank logins)
makes it less likely to be attacked.
-cks
</pre>
</blockquote>
<pre wrap=""><!---->
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Pat Patterson - <a class="moz-txt-link-abbreviated" href="mailto:pat.patterson@sun.com">pat.patterson@sun.com</a>
Federation Architect,
Sun Microsystems, Inc.
<a class="moz-txt-link-freetext" href="http://blogs.sun.com/superpat">http://blogs.sun.com/superpat</a>
</pre>
</body>
</html>