Shared secret -- what for?

Carl Howells chowells at
Wed Jul 13 23:55:13 PDT 2005

Quoting Yuhui <yuhuibc at>:

> LiveJournal asked me to grant identity validation for
>, I said "Yes; just this time" and was sent to
> At this point, I assumed that OpenID worked successfully, and I could
> continue working on the consumer with my LJ URL.
> Notice, though, that I DID NOT use the shared secret (from "mac_key")
> anywhere. So what is this shared secret used for?

For confirming, when the consumer gets a request to such a URL, that it
*actually* came from the server in question.  If you don't confirm that, you're
allowing anyone to send you a properly formed request, and log in with whatever
identity they want, regardless of whether they actually own the identity URL
listed in the request.

In other words, you've completely missed all the security portions of the


More information about the yadis mailing list