RE: HTTPS status
May I argue that a secure end-to-end encrypted channel does not always equal SSL? I know that PKI is pervasive, but wouldn't want to rule out the potential of using identity-based encryption (IBE)... Date: Wed, 28 Feb 2007 20:23:46 -0600 From: Alaric Dailey [EMAIL PROTECTED] Subject: RE: HTTPS status To: specs@openid.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii That wording is better than I remember, but really with free certificates being readily available, and the obvious need for prtecting users data, WHY oh WHY is there even support for an unencrypted channel? Heck even Jabber is being moved to a completely secure end to end encrypted channel. With this being created brand new, why start insecure? I realize I am repeating the same thing I started a few months ago, but with MS and AOL supporting OpenID, it means a lot more users will be exposed to it, making it even more important to do it right from the beginning. Why is there such reluctance? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: HTTPS status
You could certainly argue it, I have no objection, SSL seems the obvious choice for several reasons 1. Cheap (now free from Several Cas) 2. Well Supported (the code I looked at was running over HTTP so it would be a VERY minor change to do https) 3. Identity validation is done by the CA. Are a few off the top of my head. However... I am not hung up on it, what I see as ABSOLUTELY Necessary is protecting the users data in transit with encryption. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McGovern, James F (HTSC, IT) Sent: Thursday, March 01, 2007 12:20 PM To: specs@openid.net Subject: RE: HTTPS status May I argue that a secure end-to-end encrypted channel does not always equal SSL? I know that PKI is pervasive, but wouldn't want to rule out the potential of using identity-based encryption (IBE)... Date: Wed, 28 Feb 2007 20:23:46 -0600 From: Alaric Dailey [EMAIL PROTECTED] Subject: RE: HTTPS status To: specs@openid.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii That wording is better than I remember, but really with free certificates being readily available, and the obvious need for prtecting users data, WHY oh WHY is there even support for an unencrypted channel? Heck even Jabber is being moved to a completely secure end to end encrypted channel. With this being created brand new, why start insecure? I realize I am repeating the same thing I started a few months ago, but with MS and AOL supporting OpenID, it means a lot more users will be exposed to it, making it even more important to do it right from the beginning. Why is there such reluctance? ** *** This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ** *** ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
HTTPS status
Eddy Nigg and I brought up the issue of requiring SSL a while back, since then I have been swamped, it looked like there was some more talk about it since then. I know that there are several other people, that are concerned about this too, and it has even been blogged about ( http://www.tbray.org/ongoing/When/200x/2007/02/24/OpenID ) Can someone please tell me the status on this? Hopefully its being required! ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: HTTPS status
Alaric Dailey wrote: Eddy Nigg and I brought up the issue of requiring SSL a while back, since then I have been swamped, it looked like there was some more talk about it since then. I know that there are several other people, that are concerned about this too, and it has even been blogged about ( http://www.tbray.org/ongoing/When/200x/2007/02/24/OpenID ) Can someone please tell me the status on this? Hopefully its being required! As far as I'm aware, the current status is: * All OpenID identifiers SHOULD use a secure channel. * All OpenID servers SHOULD use a secure channel. * OpenID relying parties MUST support SSL access to HTTP URLs. * OpenID relying parties MAY refuse to interface with identifiers and servers that do not use a secure channel. * All other connections are out of scope of OpenID Authentication. I may be wrong on these, as I'm listing them from memory. In practice, I expect all big OpenID providers will support SSL because users will demand it. The sites currently providing OpenID identifiers as value-add features alongside an existing service (LiveJournal, etc.) probably won't get used much once there are more proper providers. People hosting their own identifiers and/or OPs probably won't use SSL, but then they won't be able to use their identifiers at any site which requires SSL-based OpenID Authentication, and they'll be in the minority anyway. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: HTTPS status
That wording is better than I remember, but really with free certificates being readily available, and the obvious need for prtecting users data, WHY oh WHY is there even support for an unencrypted channel? Heck even Jabber is being moved to a completely secure end to end encrypted channel. With this being created brand new, why start insecure? I realize I am repeating the same thing I started a few months ago, but with MS and AOL supporting OpenID, it means a lot more users will be exposed to it, making it even more important to do it right from the beginning. Why is there such reluctance? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Atkins Sent: Wednesday, February 28, 2007 6:14 PM To: specs@openid.net Subject: Re: HTTPS status Alaric Dailey wrote: Eddy Nigg and I brought up the issue of requiring SSL a while back, since then I have been swamped, it looked like there was some more talk about it since then. I know that there are several other people, that are concerned about this too, and it has even been blogged about ( http://www.tbray.org/ongoing/When/200x/2007/02/24/OpenID ) Can someone please tell me the status on this? Hopefully its being required! As far as I'm aware, the current status is: * All OpenID identifiers SHOULD use a secure channel. * All OpenID servers SHOULD use a secure channel. * OpenID relying parties MUST support SSL access to HTTP URLs. * OpenID relying parties MAY refuse to interface with identifiers and servers that do not use a secure channel. * All other connections are out of scope of OpenID Authentication. I may be wrong on these, as I'm listing them from memory. In practice, I expect all big OpenID providers will support SSL because users will demand it. The sites currently providing OpenID identifiers as value-add features alongside an existing service (LiveJournal, etc.) probably won't get used much once there are more proper providers. People hosting their own identifiers and/or OPs probably won't use SSL, but then they won't be able to use their identifiers at any site which requires SSL-based OpenID Authentication, and they'll be in the minority anyway. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: HTTPS status
I was going to sit here and craft a large response with rebuttals for each of your statements, but... At this point I think I have to be contented with the knowledge that OpenId will be forced to change, or it will fail, this is ESPECIALLY true because of the sudden surge in popularity. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Kveton Sent: Wednesday, February 28, 2007 8:33 PM To: specs@openid.net Subject: Re: HTTPS status [snip] Why is there such reluctance? I think there are a several reasons why: * Not everybody knows how to install/manage an SSL certificate * Not every web hosting company allows multiple IP's for sites * It wouldn't have been easy to get the adoption we're seeing with a MUST * Majority of transactions are low-value today Could we have gotten where we are today with the growth that we've seen _with_ a MUST? I don't think so. The providers who are really serious about security and identity will have SSL. - Scott ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: HTTPS status
At this point I think I have to be contented with the knowledge that OpenId will be forced to change, or it will fail, this is ESPECIALLY true because of the sudden surge in popularity. Absolutely ... I didn't put won't ever in any of those bullet points. OpenID is always going to change, evolve and mature. It has to. It has already in the last 18 months and will continue to do so. If it doesn't, that's when we really have to worry about failure. - Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Kveton Sent: Wednesday, February 28, 2007 8:33 PM To: specs@openid.net Subject: Re: HTTPS status [snip] Why is there such reluctance? I think there are a several reasons why: * Not everybody knows how to install/manage an SSL certificate * Not every web hosting company allows multiple IP's for sites * It wouldn't have been easy to get the adoption we're seeing with a MUST * Majority of transactions are low-value today Could we have gotten where we are today with the growth that we've seen _with_ a MUST? I don't think so. The providers who are really serious about security and identity will have SSL. - Scott ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
