[security] [PROPOSAL] Adding More Color Around SSL Use
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Oct 28 00:02:43 UTC 2006
However the current specs speak about the whole facility of the IDP, not
only the interaction with the RP:
In order to get protection from SSL, SSL must be used for all parts
of the interaction, including interaction with the End User
through the User Agent.
This is out of control of the RP!!! The RP has no way of knowing, how
the facility of the IDP works, except the _optional_ assoc_handle
exchange...Which in itself is a mystery for me...Therefore the RP can't
protect itself!
Martin Atkins wrote:
> Hans Granqvist wrote:
>
>> Recordon, David wrote:
>>
>>> I'm planning to check in the following patch to the authentication spec
>>> later today unless anyone has STRONG objections. It says that SSL is
>>> not REQUIRED, though comes as close to saying that it is that I think we
>>> can. Josh, Mart, and I believe this is a good middle position to take
>>> on the matter. We certainly believe any reputable IdP will correctly
>>> use SSL, though there are cases (such as using OpenID Authentication
>>> fully within your own trusted network) where it is not required.
>>>
>> -1, if it's not too late
>>
>> There are too many unknowns in this proposed change. While the
>> current text is not good, adding this to the spec is likely to
>> cause harm, for example:
>>
>> What forms of SSL (incl. cipher suites) are recommended? What
>> is "a trusted authority" -- trusted by whom and for what? What
>> does "secure manner" mean?
>>
>> I'm also wondering how the proposed security profiles correlate
>> with this change. It seems proper to reference these profiles
>> here. Can you shed some light?
>>
>> Please also note that SSL has been more or less superseded by
>> TLS. TLS1 and SSL3 are quite similar, but not entirely, so
>> equating SSL with TLS should be spelled out. (Unless you imply
>> TLS is verboten, which I don't think is what you're doing :)
>>
>>
>
> I think the intention is something more like the following:
> * It is RECOMMENDED that IdPs use some kind of security on their HTTP
> endpoint. We've called that SSL right now, but really this
> recommendation is not specific to SSL.
> * The choice of accepted cipher suites, trusted authorities and such
> is a policy decision on the part of the RP. The spec can't really be
> more specific except perhaps to make it more clear that the RP is free
> to decide its own security policy. The non-normative "best practices"
> document will likely go into more detail including some reasonable
> baseline security profiles, which are likely to be based on the recent
> proposal.
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/6e5c3c18/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/6e5c3c18/attachment-0002.vcf>
More information about the security
mailing list