OpenID Auth 2.0 security considerations

Hallam-Baker, Phillip pbaker at verisign.com
Tue Jan 23 22:19:00 UTC 2007 

I get really worried whenever I see such statements. They tend to be the sign of a long drawn out specification effort rather than a short one.

If you want to change the Internet you have a lot of gatekeepers to convince. Deciding that you don't have time to do that is usually a mistake. 

The key is to understand which parties are really gatekeepers and which are not. Two gatekeepers that must be convinced here are the security cabal and the open source community. 

> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of Johannes Ernst
> Sent: Tuesday, January 23, 2007 3:57 PM
> To: Recordon, David
> Cc: specs at openid.net
> Subject: Re: OpenID Auth 2.0 security considerations
> 
> Given where we are in time, I would suggest to make the 
> smallest amount of changes possible to the document, i.e. 
> leave everything as is, just add this one link.
> 
> 
> On Jan 23, 2007, at 11:59, Recordon, David wrote:
> 
> > I don't see a problem with that.
> >
> > Would you propose the majority of the security 
> considerations section 
> > in the current draft be moved to the wiki?  What would be 
> the balance 
> > between spec and wiki page?
> >
> > --David
> >
> > -----Original Message-----
> > From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On 
> > Behalf Of Johannes Ernst
> > Sent: Monday, January 22, 2007 12:15 PM
> > To: specs at openid.net
> > Subject: OpenID Auth 2.0 security considerations
> >
> > What about a non-normative link from the spec to a place on 
> the wiki 
> > where we can collect security considerations for it, and 
> update those 
> > in real-time as discussions such as the phishing one progress.
> >
> >
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

More information about the specs mailing list