RE: HTTPS status

2007-03-01 Thread McGovern, James F \(HTSC, IT\)
May I argue that a secure end-to-end encrypted channel does not always equal 
SSL? I know that PKI is pervasive, but wouldn't want to rule out the potential 
of using identity-based encryption (IBE)...

Date: Wed, 28 Feb 2007 20:23:46 -0600
From: Alaric Dailey [EMAIL PROTECTED]
Subject: RE: HTTPS status
To: specs@openid.net
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain;   charset=us-ascii

That wording is better than I remember, but really with free certificates
being readily available, and the obvious need for prtecting users data, WHY
oh WHY is there even support for an unencrypted channel?  Heck even Jabber
is being moved to a completely secure end to end encrypted channel.  With
this being created brand new, why start insecure?

I realize I am repeating the same thing I started a few months ago, but with
MS and AOL supporting OpenID, it means a lot more users will be exposed to
it, making it even more important to do it right from the beginning.

Why is there such reluctance?
 


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: HTTPS status

2007-03-01 Thread Alaric Dailey
You could certainly argue it, I have no objection, SSL seems the obvious
choice for several reasons

1. Cheap (now free from Several Cas)
2. Well Supported (the code I looked at was running over HTTP so it would be
a VERY minor change to do https)
3. Identity validation is done by the CA.

Are a few off the top of my head.  However... I am not hung up on it, what I
see as ABSOLUTELY Necessary is protecting the users data in transit with
encryption.
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of McGovern, 
 James F (HTSC, IT)
 Sent: Thursday, March 01, 2007 12:20 PM
 To: specs@openid.net
 Subject: RE: HTTPS status
 
 May I argue that a secure end-to-end encrypted channel does 
 not always equal SSL? I know that PKI is pervasive, but 
 wouldn't want to rule out the potential of using 
 identity-based encryption (IBE)...
 
 Date: Wed, 28 Feb 2007 20:23:46 -0600
 From: Alaric Dailey [EMAIL PROTECTED]
 Subject: RE: HTTPS status
 To: specs@openid.net
 Message-ID: [EMAIL PROTECTED]
 Content-Type: text/plain; charset=us-ascii
 
 That wording is better than I remember, but really with free 
 certificates being readily available, and the obvious need 
 for prtecting users data, WHY oh WHY is there even support 
 for an unencrypted channel?  Heck even Jabber is being moved 
 to a completely secure end to end encrypted channel.  With 
 this being created brand new, why start insecure?
 
 I realize I am repeating the same thing I started a few 
 months ago, but with MS and AOL supporting OpenID, it means a 
 lot more users will be exposed to it, making it even more 
 important to do it right from the beginning.
 
 Why is there such reluctance?
  
 
 
 **
 ***
 This communication, including attachments, is for the 
 exclusive use of addressee and may contain proprietary, 
 confidential and/or privileged information.  If you are not 
 the intended recipient, any use, copying, disclosure, 
 dissemination or distribution is strictly prohibited.  If you 
 are not the intended recipient, please notify the sender 
 immediately by return e-mail, delete this communication and 
 destroy all copies.
 **
 ***
 
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs
 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


HTTPS status

2007-02-28 Thread Alaric Dailey
Eddy Nigg and I brought up the issue of requiring SSL  a while back, since
then I have been swamped, it looked like there was some more talk about it
since then.  
 
I know that there are several other people, that are concerned about this
too, and it has even been blogged about (
http://www.tbray.org/ongoing/When/200x/2007/02/24/OpenID )
 
Can someone please tell me the status on this? Hopefully its being required!

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: HTTPS status

2007-02-28 Thread Martin Atkins
Alaric Dailey wrote:
 Eddy Nigg and I brought up the issue of requiring SSL  a while back, since
 then I have been swamped, it looked like there was some more talk about it
 since then.  
  
 I know that there are several other people, that are concerned about this
 too, and it has even been blogged about (
 http://www.tbray.org/ongoing/When/200x/2007/02/24/OpenID )
  
 Can someone please tell me the status on this? Hopefully its being required!
 

As far as I'm aware, the current status is:

  * All OpenID identifiers SHOULD use a secure channel.
  * All OpenID servers SHOULD use a secure channel.
  * OpenID relying parties MUST support SSL access to HTTP URLs.
  * OpenID relying parties MAY refuse to interface with identifiers and 
servers that do not use a secure channel.
  * All other connections are out of scope of OpenID Authentication.

I may be wrong on these, as I'm listing them from memory.



In practice, I expect all big OpenID providers will support SSL because 
users will demand it. The sites currently providing OpenID identifiers 
as value-add features alongside an existing service (LiveJournal, etc.) 
probably won't get used much once there are more proper providers.

People hosting their own identifiers and/or OPs probably won't use SSL, 
but then they won't be able to use their identifiers at any site which 
requires SSL-based OpenID Authentication, and they'll be in the minority 
anyway.

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: HTTPS status

2007-02-28 Thread Alaric Dailey
That wording is better than I remember, but really with free certificates
being readily available, and the obvious need for prtecting users data, WHY
oh WHY is there even support for an unencrypted channel?  Heck even Jabber
is being moved to a completely secure end to end encrypted channel.  With
this being created brand new, why start insecure?

I realize I am repeating the same thing I started a few months ago, but with
MS and AOL supporting OpenID, it means a lot more users will be exposed to
it, making it even more important to do it right from the beginning.

Why is there such reluctance?
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Martin Atkins
 Sent: Wednesday, February 28, 2007 6:14 PM
 To: specs@openid.net
 Subject: Re: HTTPS status
 
 Alaric Dailey wrote:
  Eddy Nigg and I brought up the issue of requiring SSL  a 
 while back, 
  since then I have been swamped, it looked like there was some more 
  talk about it since then.
   
  I know that there are several other people, that are 
 concerned about 
  this too, and it has even been blogged about ( 
  http://www.tbray.org/ongoing/When/200x/2007/02/24/OpenID )
   
  Can someone please tell me the status on this? Hopefully 
 its being required!
  
 
 As far as I'm aware, the current status is:
 
   * All OpenID identifiers SHOULD use a secure channel.
   * All OpenID servers SHOULD use a secure channel.
   * OpenID relying parties MUST support SSL access to HTTP URLs.
   * OpenID relying parties MAY refuse to interface with 
 identifiers and servers that do not use a secure channel.
   * All other connections are out of scope of OpenID Authentication.
 
 I may be wrong on these, as I'm listing them from memory.
 
 
 
 In practice, I expect all big OpenID providers will support 
 SSL because users will demand it. The sites currently 
 providing OpenID identifiers as value-add features alongside 
 an existing service (LiveJournal, etc.) probably won't get 
 used much once there are more proper providers.
 
 People hosting their own identifiers and/or OPs probably 
 won't use SSL, but then they won't be able to use their 
 identifiers at any site which requires SSL-based OpenID 
 Authentication, and they'll be in the minority anyway.
 
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs
 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: HTTPS status

2007-02-28 Thread Alaric Dailey
I was going to sit here and craft a large response with rebuttals for each
of your statements, but... 

At this point I think I have to be contented with the knowledge that OpenId
will be forced to change, or it will fail, this is ESPECIALLY true because
of the sudden surge in popularity.
  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Scott Kveton
 Sent: Wednesday, February 28, 2007 8:33 PM
 To: specs@openid.net
 Subject: Re: HTTPS status
 
 [snip]
  
  Why is there such reluctance?
 
 I think there are a several reasons why:
 
 * Not everybody knows how to install/manage an SSL certificate
 * Not every web hosting company allows multiple IP's for sites
 * It wouldn't have been easy to get the adoption we're seeing 
 with a MUST
 * Majority of transactions are low-value today
 
 Could we have gotten where we are today with the growth that 
 we've seen _with_ a MUST?  I don't think so.
 
 The providers who are really serious about security and 
 identity will have SSL.
 
 - Scott
 
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs
 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: HTTPS status

2007-02-28 Thread Scott Kveton
 At this point I think I have to be contented with the knowledge that OpenId
 will be forced to change, or it will fail, this is ESPECIALLY true because
 of the sudden surge in popularity.

Absolutely ... I didn't put won't ever in any of those bullet points.
OpenID is always going to change, evolve and mature.  It has to.  It has
already in the last 18 months and will continue to do so.  If it doesn't,
that's when we really have to worry about failure.

- Scott







 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Scott Kveton
 Sent: Wednesday, February 28, 2007 8:33 PM
 To: specs@openid.net
 Subject: Re: HTTPS status
 
 [snip]
 
 Why is there such reluctance?
 
 I think there are a several reasons why:
 
 * Not everybody knows how to install/manage an SSL certificate
 * Not every web hosting company allows multiple IP's for sites
 * It wouldn't have been easy to get the adoption we're seeing
 with a MUST
 * Majority of transactions are low-value today
 
 Could we have gotten where we are today with the growth that
 we've seen _with_ a MUST?  I don't think so.
 
 The providers who are really serious about security and
 identity will have SSL.
 
 - Scott
 
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs
 
 
 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs