RE: [security] [PROPOSAL] Adding More Color Around SSL Use

Fri, 27 Oct 2006 13:06:07 -0700 

This has now been checked in.
http://openid.net/svn/listing.php?repname=specifications&path=%2F&rev=73
&sc=1

--David 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Recordon, David
Sent: Thursday, October 26, 2006 1:48 PM
To: [EMAIL PROTECTED]; specs@openid.net
Cc: Martin Atkins
Subject: [security] [PROPOSAL] Adding More Color Around SSL Use

I'm planning to check in the following patch to the authentication spec
later today unless anyone has STRONG objections.  It says that SSL is
not REQUIRED, though comes as close to saying that it is that I think we
can.  Josh, Mart, and I believe this is a good middle position to take
on the matter.  We certainly believe any reputable IdP will correctly
use SSL, though there are cases (such as using OpenID Authentication
fully within your own trusted network) where it is not required.

--David

Index: openid-authentication.xml
===================================================================
--- openid-authentication.xml   (revision 68)
+++ openid-authentication.xml   (working copy)
@@ -2216,7 +2216,17 @@
           <t>
             In order to get protection from SSL, SSL must be used for
             all parts of the interaction, including interaction with
-            the End User through the User Agent.
+            the End User through the User Agent.  While the protocol
+           does not require SSL be used, its use is strongly
+           RECOMMENDED.  Current best practicies dictate that an IdP
+           SHOULD use SSL, with a certificate signed by a trusted
+           authority, to secure its service endpoint.  In addition,
+           SSL, with a certificate signed by a trusted authority,
+           SHOULD be used so that a Relying Party can fetch the
+           End User's URL in a secure manner.  Please keep in mind
+           that a Relying Party MAY decide to not complete, or even
+           begin, a transaction if SSL is not being correctly used
+           at these various endpoints.
           </t>
         </section>
       </section>
_______________________________________________
security mailing list
[EMAIL PROTECTED]
http://openid.net/mailman/listinfo/security

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to