Hi list,
I just had a really fertile talk with Eddy about "IdP reputation", during which I came up with a couple of ideas which I found sound enough to be shared with the community: 1. If an RP is after strong IdP security, it should only trust IdPs that have SSL (so it would resolve all identifiers to https://) 2. Once an identity server is queried over SSL, it will be forced to return an X.509 certificate. 3. X.509 certificates support explicit client-side security policy (so the RP may define a list of CAs it trusts for granting certificates to IdPs). 4. An "OpenID provider" certificate key usage should be defined (to be checked by RPs). 5. A separate "IdP certificate" should be defined (to be queried via an extension to the protocol). 6. A combination of (4) and (5) may be used for optimal transparent security. Please forgive me if (4) or (5) were already defined. I'm not familiar with all existing OpenID extensions. Does the "IdP reputation" issue should be further discussed? Regards, Dmitry =damnian
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
