imranghory at gmail.com
Mon May 23 11:28:51 PDT 2005
some random ideas about verifying the keys of the id server:
1) The consumer should send (via the user) the fingerprint it holds
for the ID server keys, that way the ID server will know (and be able
to keep track) if something like DNS poisoning has occured or if a
consumer has obtained a dodgy key.
2) As an extension of the above idea, if the fingerprint it gets is
for an old key then it should send a reply with the old key but also a
signed notice saying "I have a new key this is its fingerprint". This
would give some level of security for when id servers change key.
More information about the yadis