[security] [PROPOSAL] Adding More Color Around SSL Use

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu Oct 26 21:08:23 UTC 2006 

+1 This is certainly a step into the right direction!

Hope this will be improved in the future to "required", since the ones
using it within their own trusted network (LAN etc) , don't interfere
with the Internet based network! They would be free to do whatever they
want on their own turf. It's also non controllable and can't be audited
on private networks and therefor almost not relevant!

I'd propose, that private networks which don't interfere with the public
one, are exempt from this obligation. All the rest MUST use SSL....

Recordon, David wrote:
> I'm planning to check in the following patch to the authentication spec
> later today unless anyone has STRONG objections.  It says that SSL is
> not REQUIRED, though comes as close to saying that it is that I think we
> can.  Josh, Mart, and I believe this is a good middle position to take
> on the matter.  We certainly believe any reputable IdP will correctly
> use SSL, though there are cases (such as using OpenID Authentication
> fully within your own trusted network) where it is not required.
>
> --David
>
> Index: openid-authentication.xml
> ===================================================================
> --- openid-authentication.xml	(revision 68)
> +++ openid-authentication.xml	(working copy)
> @@ -2216,7 +2216,17 @@
>            <t>
>              In order to get protection from SSL, SSL must be used for
>              all parts of the interaction, including interaction with
> -            the End User through the User Agent.
> +            the End User through the User Agent.  While the protocol
> +	    does not require SSL be used, its use is strongly
> +	    RECOMMENDED.  Current best practicies dictate that an IdP
> +	    SHOULD use SSL, with a certificate signed by a trusted
> +	    authority, to secure its service endpoint.  In addition,
> +	    SSL, with a certificate signed by a trusted authority,
> +	    SHOULD be used so that a Relying Party can fetch the
> +	    End User's URL in a secure manner.  Please keep in mind
> +	    that a Relying Party MAY decide to not complete, or even
> +	    begin, a transaction if SSL is not being correctly used
> +	    at these various endpoints.
>            </t>
>          </section>
>        </section>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>   

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/2221eb3e/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/2221eb3e/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/2221eb3e/attachment-0002.bin>

More information about the security mailing list