<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
+1 This is certainly a step into the right direction! <br>
<br>
Hope this will be improved in the future to "required", since the ones
using it within their own trusted network (LAN etc) , don't interfere
with the Internet based network! They would be free to do whatever they
want on their own turf. It's also non controllable and can't be audited
on private networks and therefor almost not relevant!<br>
<br>
I'd propose, that private networks which don't interfere with the
public one, are exempt from this obligation. All the rest MUST use
SSL....<br>
<br>
Recordon, David wrote:
<blockquote
cite="mid7E7CA24460925C44AEB4F202BA7E45F31529F4@MOU1WNEXMB14.vcorp.ad.vrsn.com"
type="cite">
<pre wrap="">I'm planning to check in the following patch to the authentication spec
later today unless anyone has STRONG objections. It says that SSL is
not REQUIRED, though comes as close to saying that it is that I think we
can. Josh, Mart, and I believe this is a good middle position to take
on the matter. We certainly believe any reputable IdP will correctly
use SSL, though there are cases (such as using OpenID Authentication
fully within your own trusted network) where it is not required.
--David
Index: openid-authentication.xml
===================================================================
--- openid-authentication.xml (revision 68)
+++ openid-authentication.xml (working copy)
@@ -2216,7 +2216,17 @@
<t>
In order to get protection from SSL, SSL must be used for
all parts of the interaction, including interaction with
- the End User through the User Agent.
+ the End User through the User Agent. While the protocol
+ does not require SSL be used, its use is strongly
+ RECOMMENDED. Current best practicies dictate that an IdP
+ SHOULD use SSL, with a certificate signed by a trusted
+ authority, to secure its service endpoint. In addition,
+ SSL, with a certificate signed by a trusted authority,
+ SHOULD be used so that a Relying Party can fetch the
+ End User's URL in a secure manner. Please keep in mind
+ that a Relying Party MAY decide to not complete, or even
+ begin, a transaction if SSL is not being correctly used
+ at these various endpoints.
</t>
</section>
</section>
_______________________________________________
security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security@openid.net">security@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/security">http://openid.net/mailman/listinfo/security</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div><font face="Arial" size="2">Regards</font></div>
<div><font face="Arial" size="2"> </font></div>
<div><font face="Arial" size="2">Signer: Eddy Nigg, StartCom Ltd.</font></div>
<div><font face="Arial" size="2">Phone: +1.213.341.0390</font></div>
</div>
</body>
</html>