[security] Please convince me not to ban SSL (OP's)
SitG Admin
sysadmin at shadowsinthegarden.com
Fri May 8 20:30:18 UTC 2009
>This discussion also assumes that it is not possible to serve signed
>discovery documents.
>
>If OpenID decides to support the new discovery mechanisms proposed by
>the XRI TC, the path to obtaining a discovery document is irrelevant,
I hadn't been aware it was in the spec (or libraries) yet.
>what is relevant is the RP security posture. RPs could:
>
>1. Only accept delegation and signin through secured discovery (which
>here means that the recovered discovery documents are signed with
>authoritative keys).
>2. Accept both types of delegation, but assign to different URLs
>different security profiles (depending on how the authentication takes
>place) and prevent security level downgrades.
I've thought about giving accounts a user-configurable option for
"don't use non-SSL auth for me". An alternative is withholding
information from non-SSL authenticated logins, but that isn't much of
an alternative because I also want to conceal from attackers exactly
what files are on a user's ACL.
>SSL infrastructure. The security is probably also better, because
>AFAIK web server defacements are more frequent events than private key
>compromises.
So very true! More common than DNS hacks, even :)
-Shade
More information about the security
mailing list