Proposed Specification for New Consumer-Server Commnunications

Nathan D. Bowen nbowen+yadis at
Thu Jun 9 11:34:28 PDT 2005

Paul Crowley wrote:

>> The Consumer needs to know what shared secret will be used for 
>> identity tokens created under this association.
>>    Parameter: openid.encrypted_hmac_secret
>>    Value: base64(SHA1(BTWOC(DH_secret_integer)) XOR hmac_secret)
> No need to include the word "hmac" in here.

I see your point about generality, but does it follow that we should 
continue to simply call it "secret", ditching the idea of making it 
*any* less ambiguous? Does anyone have any other suggestions? I've heard 
that we have to anticipate HMAC-SHA1, HMAC-TIGER, and UMAC, so perhaps 
it is 'mac_secret'/'enc_mac_secret'. Or, since I see the signed ID token 
being called "sig" in the "Checking Identity" section, would it be fair 
to call this the 'signing_secret'? 'sig_secret'?

Help us out -- you've informed us that they are *not* all hashing 
algorithms. But what *are* they all? Signing algorithms? MAC algorithms? 
Even if everyone's happy with the parameter names and/or sick of 
discussing them, someone is going to need your help to choose a general 
term to use in the English language parts of the specification.

That formula includes two things called "secrets", so I'm inclined to 
avoid using "The Secret" to refer to either of them. The question in my 
mind is whether we want to communicate the formula to the rest of the 
world as:
    "The SHA-1 hash of the DH Secret Integer is XORed with the Signing 
    "The SHA-1 hash of the DH Secret Integer is XORed with the MAC Secret"
    "The SHA-1 hash of the DH Secret Integer is XORed with the Secret"
    "The SHA-1 hash of gx ^ y mod p is XORed with the Secret"

Speaking of 'gx', does anyone prefer 'gen' over 'g' and 'modulus' over 
'p' -- but not also prefer 'server_public' and 'consumer_public' over 
'gy' and 'gx'?

RSA's description of DH doesn't include gx or gy, but it does include 
Alice's Public Value and Bob's Public Value.

Java's DHPublicKey.getY() is documented as "Returns the public value, 
|y|.". DHPrivateKey.getX() is documented as "Returns the private value, 
|x|.". So the X and Y could easily be confusing to newcomers who read 
the java documentation looking for 'gx' and 'gy', but "public" and 
"private" are right there.

RFC 2409, on IKE, says

     g^xi and g^xr are the Diffie-Hellman ([DH]) public values of the
     initiator and responder respectively.

No gx or gy there, but I understand 'public value', 'initiator', and 

If our terms match the terms used in a wide range of 
publically-available documentation, we are leveraging the work of others 
who have explained these things before us, instead of burdening 
ourselves with providing our own description of things like 
Diffie-Hellman (whether it's in the specification or on the mailing list).

I truly want to find names (for variables or documentation) that sound 
technically accurate to the cryptographers, but I'm confident that they 
can also be functionally descriptive for laymen programmers like me and 
some others who have had to ask "I see this-or-that variable but I do 
not understand why or when it is used". And if OpenID uses good, 
descriptive terms, an implementor can use the same terms in an API and 
the documentation thereof.

More information about the yadis mailing list