Server losing secrets?
paul at ciphergoth.org
Fri Jun 24 23:21:09 PDT 2005
Carl Howells wrote:
> I think that would work fine. Just remember that 'invalidate_handle'
> would need to be in the openid.signed list in that case, too. (And be
> part of the signature, obviously.)
Actually I'm not 100% sure that it would. After all, the consumer is
falling back to dumb mode, and the server already knows what handles it
If the consumer is falling back to dumb mode, then all it does is take
what it received, change "id_res" to "check_authentication" and defer it
to the server. "invalidate_handle" will be passed on uninterpreted.
The server can easily check whether it's able to use the handle in the
"invalidate_handle" field; if it isn't, it copies that
"invalidate_handle" field into the reply, at which point the client
interprets it and acts on it.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis