[security] security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Thu Oct 26 12:55:27 UTC 2006
(Please post this on security@ not general@)
James A. Donald wrote:
> Protocols should specify how the communicating parties should
> interact, not how everyone in the universe should behave.
Yes, in theory I understand that absolutely and parts of the suggestions
concerning security indeed affect the protocol.
> If the IDP has a bad logon process, the primary victim is the person
> who chose the IDP, so the matter will correct itself.
I think there will be two victims: The relaying party and the user.
Since the relying party has a responsibility of his own facility and by
allowing OpenID login/authentication procedures he depends on the IDP's.
However as of now, he can't choose which IDP's are trustworthy either,
there is only as binary decision to implement / allow OpenID or not. Now
with being responsible for the authentication of his own facility, the
relying party might be a victim too. So currently I see here a problem,
which has to get solved this way or any other one....now or later...
> Flexibility is dangerous - as Ipsec demonstrated, but so is trying to
> dictate everything to everyone.
Well, I don't know, what's the difference is, between defining certain
aspects of the protocol, data exchange and conditions to be met in order
to successfully implement the proposed standard, and between the
suggestions I made. I very much see it connected and intertwined with
each other. A standard itself is a definition and as such a dictate ,
some parts explicit and others optional, but still a dictate...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/4f5190af/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/4f5190af/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/4f5190af/attachment-0002.bin>
More information about the security
mailing list