Browser Login Plugin
bnolan at gmail.com
Thu May 19 17:00:42 PDT 2005
Oh - and the random key is not a good idea because it makes replay attacks
far too easy - and is more work for the consumer (they have to track each
users random key).
On 5/20/05, Sam Kramer <slambo2001 at gmail.com> wrote:
> Instead of public keys, what if the OpenID server randomly generates a
> small key, and tells the consumer to use it to encode the trackback?
> I like this better than having optional public keys for consumers
> because instead of the consumer having the decision about securing
> what they send, the OpenID server has the decision about requiring
> what they receive to be secure. If the server doesn't care about the
> security, it shouldn't have to put up with decrypting the trackback
> Hope this makes some sense.
> On 5/19/05, Ben Nolan <bnolan at gmail.com> wrote:
> > (I'm ashamed of my url to private key idea) ;)
> > > If consumers had private keys (which would suck as a requirement...
> > > much pain), then what do they get from signing a trackback? What does,
> > > say, LiveJournal benefit from getting a trackback that's singed from
> > > someblog.com <http://someblog.com>? That we know it came from someblog
> and can trust it? We
> > > can't trust the contents... so that the origin is correct? I'm not
> > > bashing this idea... I just don't fully understand what's being
> > > verified/protected.
> > >
> > We're verifying that the comment came from someblog. And we trust
> > to *some extent* (because we shared our identity with it) - so we'll
> > it enough to post a trackback to a comment we made. The purpose of this
> > that we can recieve notification of comments that we post in the
> > 'blogosphere', so that I an keep a track of comments I make.
> > The consumer could also use their public key to sign any posts they send
> > my weblog, so my identity server could tell my wordpress install to
> > someblog - then if our atom api recieves a request with the querystring
> > params openid.trust_root=http://someblog/&openid.sig=...
> > it'd know to accept that post.
> > It just seems a simple way to let consumers identify themselves to
> > other than the identity server.
> > And the public key would be *totally* optional for consumers, but if we
> > a recommendation that ID servers record the URLs to consumers public
> > it gives us lots of flexibility with no additional work for consumers,
> > minimal extra work for ID servers.
> > Hope that makes more sense this time.
> > Ben
> > _______________________________________________
> > yadis mailing list
> > yadis at lists.danga.com
> > http://lists.danga.com/mailman/listinfo/yadis
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the yadis