<br><br><div class="gmail_quote">On Tue, Mar 17, 2009 at 4:07 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div class="im">
<div>>>I'd like to remove the requirement for SSL enabled OPs to
support DH. Are there any OPs that don't support HTTPS?</div>
<div>></div>
</div><div class="im"><div>>Of course. But perhaps the useful question could
phrased "are there any OPs that don't support HTTPS that people
would cry about not working any more?"</div>
<div><br></div>
</div><div>Definitely! Individuals running their own OP's who don't care
about security (because they only use it for leaving comments, and
other low-value purposes), but *do* care about privacy (not giving
*any* third party information about their OpenID activity on the web),
and can't afford to use website hosts that provide SSL.</div></div></blockquote><div><br>1. They have no privacy against their hosting provider.<br><br>2. Do they need confidential keys? Isn't DNS security sufficient for the protection of blog comments?<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div>
<div><br></div>
<div>(Note that "can't afford to use" doesn't just mean
"free as in beer", here; if the providers require
registration information that the user, for privacy reasons, will not
divulge, they cannot afford to use that provider's services. It's
simple logic, albeit of the sort that seems to flee users' minds
whenever faced with an SLA for software.)</div>
<div><br></div>
<div>Perhaps the use of SSL could be added into the minimum assurance
levels area of the spec, so that users who insist on using OpenID but
refuse to use a SSL-enabled OP will simply be unable to achieve any
level of assurance beyond the very lowest? Sufficient for comment spam
and the like, so OpenID still has *some* use to end-users.</div>
<div><br></div>
<div>-Shade</div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>--Breno<br><br>+1 (650) 214-1007 desk<br>+1 (408) 212-0135 (Grand Central)<br>MTV-41-3 : 383-A <br>PST (GMT-8) / PDT(GMT-7)<br>