Re: [PROPOSAL] Adding More Color Around SSL Use
Recordon, David wrote: > I'm planning to check in the following patch to the authentication spec > later today unless anyone has STRONG objections. It says that SSL is > not REQUIRED, though comes as close to saying that it is that I think we > can. Josh, Mart, and I believe this is a good middle position to take > on the matter. We certainly believe any reputable IdP will correctly > use SSL, though there are cases (such as using OpenID Authentication > fully within your own trusted network) where it is not required. -1, if it's not too late There are too many unknowns in this proposed change. While the current text is not good, adding this to the spec is likely to cause harm, for example: What forms of SSL (incl. cipher suites) are recommended? What is "a trusted authority" -- trusted by whom and for what? What does "secure manner" mean? I'm also wondering how the proposed security profiles correlate with this change. It seems proper to reference these profiles here. Can you shed some light? Please also note that SSL has been more or less superseded by TLS. TLS1 and SSL3 are quite similar, but not entirely, so equating SSL with TLS should be spelled out. (Unless you imply TLS is verboten, which I don't think is what you're doing :) Hans ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: [security] [PROPOSAL] Adding More Color Around SSL Use
This has now been checked in. http://openid.net/svn/listing.php?repname=specifications&path=%2F&rev=73 &sc=1 --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Recordon, David Sent: Thursday, October 26, 2006 1:48 PM To: [EMAIL PROTECTED]; specs@openid.net Cc: Martin Atkins Subject: [security] [PROPOSAL] Adding More Color Around SSL Use I'm planning to check in the following patch to the authentication spec later today unless anyone has STRONG objections. It says that SSL is not REQUIRED, though comes as close to saying that it is that I think we can. Josh, Mart, and I believe this is a good middle position to take on the matter. We certainly believe any reputable IdP will correctly use SSL, though there are cases (such as using OpenID Authentication fully within your own trusted network) where it is not required. --David Index: openid-authentication.xml === --- openid-authentication.xml (revision 68) +++ openid-authentication.xml (working copy) @@ -2216,7 +2216,17 @@ In order to get protection from SSL, SSL must be used for all parts of the interaction, including interaction with -the End User through the User Agent. +the End User through the User Agent. While the protocol + does not require SSL be used, its use is strongly + RECOMMENDED. Current best practicies dictate that an IdP + SHOULD use SSL, with a certificate signed by a trusted + authority, to secure its service endpoint. In addition, + SSL, with a certificate signed by a trusted authority, + SHOULD be used so that a Relying Party can fetch the + End User's URL in a secure manner. Please keep in mind + that a Relying Party MAY decide to not complete, or even + begin, a transaction if SSL is not being correctly used + at these various endpoints. ___ security mailing list [EMAIL PROTECTED] http://openid.net/mailman/listinfo/security ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [PROPOSAL] Adding More Color Around SSL Use
+1 Recordon, David wrote: I'm planning to check in the following patch to the authentication spec later today unless anyone has STRONG objections. It says that SSL is not REQUIRED, though comes as close to saying that it is that I think we can. Josh, Mart, and I believe this is a good middle position to take on the matter. We certainly believe any reputable IdP will correctly use SSL, though there are cases (such as using OpenID Authentication fully within your own trusted network) where it is not required. --David -- Pete smime.p7s Description: S/MIME Cryptographic Signature ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
[PROPOSAL] Adding More Color Around SSL Use
I'm planning to check in the following patch to the authentication spec later today unless anyone has STRONG objections. It says that SSL is not REQUIRED, though comes as close to saying that it is that I think we can. Josh, Mart, and I believe this is a good middle position to take on the matter. We certainly believe any reputable IdP will correctly use SSL, though there are cases (such as using OpenID Authentication fully within your own trusted network) where it is not required. --David Index: openid-authentication.xml === --- openid-authentication.xml (revision 68) +++ openid-authentication.xml (working copy) @@ -2216,7 +2216,17 @@ In order to get protection from SSL, SSL must be used for all parts of the interaction, including interaction with -the End User through the User Agent. +the End User through the User Agent. While the protocol + does not require SSL be used, its use is strongly + RECOMMENDED. Current best practicies dictate that an IdP + SHOULD use SSL, with a certificate signed by a trusted + authority, to secure its service endpoint. In addition, + SSL, with a certificate signed by a trusted authority, + SHOULD be used so that a Relying Party can fetch the + End User's URL in a secure manner. Please keep in mind + that a Relying Party MAY decide to not complete, or even + begin, a transaction if SSL is not being correctly used + at these various endpoints. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs