[security] [PROPOSAL] Adding More Color Around SSL Use

Martin Atkins mart at degeneration.co.uk
Fri Oct 27 23:49:54 UTC 2006 

Hans Granqvist wrote:
> Recordon, David wrote:
>> I'm planning to check in the following patch to the authentication spec
>> later today unless anyone has STRONG objections.  It says that SSL is
>> not REQUIRED, though comes as close to saying that it is that I think we
>> can.  Josh, Mart, and I believe this is a good middle position to take
>> on the matter.  We certainly believe any reputable IdP will correctly
>> use SSL, though there are cases (such as using OpenID Authentication
>> fully within your own trusted network) where it is not required.
> 
> -1, if it's not too late
> 
> There are too many unknowns in this proposed change. While the
> current text is not good, adding this to the spec is likely to
> cause harm, for example:
> 
> What forms of SSL (incl. cipher suites) are recommended? What
> is "a trusted authority" -- trusted by whom and for what? What
> does "secure manner" mean?
> 
> I'm also wondering how the proposed security profiles correlate
> with this change. It seems proper to reference these profiles
> here. Can you shed some light?
> 
> Please also note that SSL has been more or less superseded by
> TLS. TLS1 and SSL3 are quite similar, but not entirely, so
> equating SSL with TLS should be spelled out. (Unless you imply
> TLS is verboten, which I don't think is what you're doing :)
> 

I think the intention is something more like the following:
  * It is RECOMMENDED that IdPs use some kind of security on their HTTP 
endpoint. We've called that SSL right now, but really this 
recommendation is not specific to SSL.
  * The choice of accepted cipher suites, trusted authorities and such 
is a policy decision on the part of the RP. The spec can't really be 
more specific except perhaps to make it more clear that the RP is free 
to decide its own security policy. The non-normative "best practices" 
document will likely go into more detail including some reasonable 
baseline security profiles, which are likely to be based on the recent 
proposal.

More information about the security mailing list