Server losing secrets?

Paul Crowley paul at ciphergoth.org
Sat Jun 25 14:31:55 PDT 2005


Brad Fitzpatrick wrote:
>>and the server already knows what handles it can accept.
> 
> What?

Given a handle, the server can figure out whether it's able to produce 
the associated secret.

> So you're saying:  "Who cares if it's in the 'signed' group, since we're
> doing an actual POST to the id server anyway...  The id server can just
> include it in its response, so we know it didn't come from a casual
> attacker just trying to empty our cache."

Exactly.
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/


More information about the yadis mailing list