Proposed Specification for New Consumer-Server Commnunications
Nathan D. Bowen
nbowen+yadis at andtonic.com
Thu Jun 9 11:34:28 PDT 2005
Paul Crowley wrote:
>> The Consumer needs to know what shared secret will be used for
>> identity tokens created under this association.
>> Parameter: openid.encrypted_hmac_secret
>> Value: base64(SHA1(BTWOC(DH_secret_integer)) XOR hmac_secret)
> No need to include the word "hmac" in here.
I see your point about generality, but does it follow that we should
continue to simply call it "secret", ditching the idea of making it
*any* less ambiguous? Does anyone have any other suggestions? I've heard
that we have to anticipate HMAC-SHA1, HMAC-TIGER, and UMAC, so perhaps
it is 'mac_secret'/'enc_mac_secret'. Or, since I see the signed ID token
being called "sig" in the "Checking Identity" section, would it be fair
to call this the 'signing_secret'? 'sig_secret'?
Help us out -- you've informed us that they are *not* all hashing
algorithms. But what *are* they all? Signing algorithms? MAC algorithms?
Even if everyone's happy with the parameter names and/or sick of
discussing them, someone is going to need your help to choose a general
term to use in the English language parts of the specification.
That formula includes two things called "secrets", so I'm inclined to
avoid using "The Secret" to refer to either of them. The question in my
mind is whether we want to communicate the formula to the rest of the
"The SHA-1 hash of the DH Secret Integer is XORed with the Signing
"The SHA-1 hash of the DH Secret Integer is XORed with the MAC Secret"
"The SHA-1 hash of the DH Secret Integer is XORed with the Secret"
"The SHA-1 hash of gx ^ y mod p is XORed with the Secret"
Speaking of 'gx', does anyone prefer 'gen' over 'g' and 'modulus' over
'p' -- but not also prefer 'server_public' and 'consumer_public' over
'gy' and 'gx'?
RSA's description of DH doesn't include gx or gy, but it does include
Alice's Public Value and Bob's Public Value.
Java's DHPublicKey.getY() is documented as "Returns the public value,
|y|.". DHPrivateKey.getX() is documented as "Returns the private value,
|x|.". So the X and Y could easily be confusing to newcomers who read
the java documentation looking for 'gx' and 'gy', but "public" and
"private" are right there.
RFC 2409, on IKE, says
g^xi and g^xr are the Diffie-Hellman ([DH]) public values of the
initiator and responder respectively.
No gx or gy there, but I understand 'public value', 'initiator', and
If our terms match the terms used in a wide range of
publically-available documentation, we are leveraging the work of others
who have explained these things before us, instead of burdening
ourselves with providing our own description of things like
Diffie-Hellman (whether it's in the specification or on the mailing list).
I truly want to find names (for variables or documentation) that sound
technically accurate to the cryptographers, but I'm confident that they
can also be functionally descriptive for laymen programmers like me and
some others who have had to ask "I see this-or-that variable but I do
not understand why or when it is used". And if OpenID uses good,
descriptive terms, an implementor can use the same terms in an API and
the documentation thereof.
More information about the yadis