<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt">This comparison is not specific to security, but does address it<br><br>http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html<br><br>paul<br><br>p.s. I am a SAML/Liberty participant. I would not argue that OpenID provides 'no' assurance - rather that it can provide a level of assurance appropriate to the use cases that drove its development. I know of no SAML advocate that would claim more than this correspondence for SAML.<br><div> </div>-- <br>Paul Madsen e:paulmadsen @
ntt-at.com<br>NTT p:613-482-0432<br>
m:613-302-1428<br> aim:PaulMdsn5<br> web:connectid.blogspot.com<div><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">----- Original Message ----<br>From: Peter <peterw@tux.org><br>To: Peter
Williams <pwilliams@rapattoni.com><br>Cc: "general@openid.net" <general@openid.net><br>Sent: Wednesday, September 17, 2008 2:19:46 PM<br>Subject: [OpenID] OpenID architecture critiques? Re: Too many providers...<br><br><br>Peter Williams <<a ymailto="mailto:pwilliams@rapattoni.com" href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<br>> Folks in the liberty alliance message (openly and convincingly) <br>> that openid cannot ever - inherently - be used for any purpose <br>> requiring "assurance". They point to the undisputed claim that <br>> the open designers knowingly made design tradeoffs in the crypto <br>> handshake and security critical securty service composition rules, <br>> so as to make it all easy to deploy and adopt. Because of this <br>> precept, openid cannot even *be* fixed (since low assurance is the <br>> actual goal).<br><br>As someone who's moving towards
integrating OpenID (RP and OP) into his<br>employer's web apps, I would very much appreciate URLs to such critiques. <br><br>From what I see, the most glaring problem is that some "major sites" that<br>act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs, so<br>RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more<br>obvious DNS and MITM/phishing attacks. <br><br>BTW, whoever maintains <a href="http://openid.net/get/" target="_blank">http://openid.net/get/</a> should probably change the<br>Yahoo information to "<a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a>" since that works and, unlike<br><a href="http://openid.yahoo.com/" target="_blank">http://openid.yahoo.com/</a>, uses SSL/TLS.<br><br>Thanks,<br><br>Peter<br><br>_______________________________________________<br>general mailing list<br><a ymailto="mailto:general@openid.net" href="mailto:general@openid.net">general@openid.net</a><br><a
href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br></div></div></div></body></html>