On Mon, 9 Feb 2009 13:53:32 -0700 SitG Admin <[email protected]> wrote: > The question then becomes - how do you know you can trust a given OP?
Which, when compared to a traditional password situation, becomes "how do you know you can trust a given user". > Or, if those assertion are *not* present, inform the user that their > OP has vouched for them but the level of security is not sufficient > to permit full services. Or let them make that call. I've had at least one bank that made me jump through all sorts of stupid hoops, but restricted my password choices so much that they may as well have said "and it has to be your first and last name" (what is it with banks and restricted password characters? Do they not know how to escape their SQL?). I'd feel far happier with unencrypted HTTP through my own site than trusting what most of my financial institutions do with passwords. Dan _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
