<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
However the current specs speak about the whole facility of the IDP,
not only the interaction with the RP:<br>
<br>
<pre>In order to get protection from SSL, SSL must be used for all parts
of the interaction, including interaction with the End User
through the User Agent.</pre>
This is out of control of the RP!!! The RP has no way of knowing, how
the facility of the IDP works, except the <u>optional</u> assoc_handle
exchange...Which in itself is a mystery for me...Therefore the RP can't
protect itself!<br>
<br>
Martin Atkins wrote:
<blockquote cite="mid45429B22.1070204@degeneration.co.uk" type="cite">
<pre wrap="">Hans Granqvist wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Recordon, David wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I'm planning to check in the following patch to the authentication spec
later today unless anyone has STRONG objections. It says that SSL is
not REQUIRED, though comes as close to saying that it is that I think we
can. Josh, Mart, and I believe this is a good middle position to take
on the matter. We certainly believe any reputable IdP will correctly
use SSL, though there are cases (such as using OpenID Authentication
fully within your own trusted network) where it is not required.
</pre>
</blockquote>
<pre wrap="">-1, if it's not too late
There are too many unknowns in this proposed change. While the
current text is not good, adding this to the spec is likely to
cause harm, for example:
What forms of SSL (incl. cipher suites) are recommended? What
is "a trusted authority" -- trusted by whom and for what? What
does "secure manner" mean?
I'm also wondering how the proposed security profiles correlate
with this change. It seems proper to reference these profiles
here. Can you shed some light?
Please also note that SSL has been more or less superseded by
TLS. TLS1 and SSL3 are quite similar, but not entirely, so
equating SSL with TLS should be spelled out. (Unless you imply
TLS is verboten, which I don't think is what you're doing :)
</pre>
</blockquote>
<pre wrap=""><!---->
I think the intention is something more like the following:
* It is RECOMMENDED that IdPs use some kind of security on their HTTP
endpoint. We've called that SSL right now, but really this
recommendation is not specific to SSL.
* The choice of accepted cipher suites, trusted authorities and such
is a policy decision on the part of the RP. The spec can't really be
more specific except perhaps to make it more clear that the RP is free
to decide its own security policy. The non-normative "best practices"
document will likely go into more detail including some reasonable
baseline security profiles, which are likely to be based on the recent
proposal.
_______________________________________________
security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security@openid.net">security@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/security">http://openid.net/mailman/listinfo/security</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div><font face="Arial" size="2">Regards</font></div>
<div><font face="Arial" size="2"> </font></div>
<div><font face="Arial" size="2">Signer: Eddy Nigg, StartCom Ltd.</font></div>
<div><font face="Arial" size="2">Phone: +1.213.341.0390</font></div>
</div>
</body>
</html>