[security] security
James A. Donald
jamesd at echeque.com
Fri Oct 27 08:00:22 UTC 2006
--
James A. Donald wrote:
> > If the IDP has a bad logon process, the primary
> > victim is the person who chose the IDP, so the
> > matter will correct itself.
Eddy Nigg
> I think there will be two victims: The relaying party
> and the user.
Well everything I do affects lots of other people, which
argument leads to the conclusion that everything I do
should be regulated, which is silly.
So long as a large portion of the cost falls on the
person who makes the decision, and is best able to judge
whether the decision is wise or unwise, things will work
out.
> Well, I don't know, what's the difference is, between
> defining certain aspects of the protocol, data
> exchange and conditions to be met in order to
> successfully implement the proposed standard, and
> between the suggestions I made.
Suppose we all agreed it was a good idea: What would
happen? Nothing would happen! In this sense, it really
is out of scope. There is no way we can cause the
protocol to fail if the IDP is following bad logon
practices, but wants to the protocol to succeed, any
more than we could cause the protocol to fail if the IDP
was a pedophile.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
29tWjpfebXpjBxFQLcD+fTaXJhEAGfROMlkKnhrk
4QkVKtHegpqie7WoRRM7AjpuPMXnzUp1uBQ+hE7E6
More information about the security
mailing list