I'm planning to check in the following patch to the authentication spec later today unless anyone has STRONG objections. It says that SSL is not REQUIRED, though comes as close to saying that it is that I think we can. Josh, Mart, and I believe this is a good middle position to take on the matter. We certainly believe any reputable IdP will correctly use SSL, though there are cases (such as using OpenID Authentication fully within your own trusted network) where it is not required.
--David Index: openid-authentication.xml =================================================================== --- openid-authentication.xml (revision 68) +++ openid-authentication.xml (working copy) @@ -2216,7 +2216,17 @@ <t> In order to get protection from SSL, SSL must be used for all parts of the interaction, including interaction with - the End User through the User Agent. + the End User through the User Agent. While the protocol + does not require SSL be used, its use is strongly + RECOMMENDED. Current best practicies dictate that an IdP + SHOULD use SSL, with a certificate signed by a trusted + authority, to secure its service endpoint. In addition, + SSL, with a certificate signed by a trusted authority, + SHOULD be used so that a Relying Party can fetch the + End User's URL in a secure manner. Please keep in mind + that a Relying Party MAY decide to not complete, or even + begin, a transaction if SSL is not being correctly used + at these various endpoints. </t> </section> </section> _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs