Shared secret -- what for?
Carl Howells
chowells at janrain.com
Wed Jul 13 23:55:13 PDT 2005
Quoting Yuhui <yuhuibc at gmail.com>:
> LiveJournal asked me to grant identity validation for
> http://return.to.com/, I said "Yes; just this time" and was sent to
>
http://return.to.com/?openid.mode=id_res&openid.identity=http://www.livejournal.com/users/myblogname/&openid.return_to=http://return.to.com/&openid.issued=another-date&openid.valid_to=yet-another-date&openid.assoc_handle=yadda&openid.signed=mode,identity,return_to,issued,valid_to&openid.sig=some-signature
>
> At this point, I assumed that OpenID worked successfully, and I could
> continue working on the consumer with my LJ URL.
>
> Notice, though, that I DID NOT use the shared secret (from "mac_key")
> anywhere. So what is this shared secret used for?
For confirming, when the consumer gets a request to such a URL, that it
*actually* came from the server in question. If you don't confirm that, you're
allowing anyone to send you a properly formed request, and log in with whatever
identity they want, regardless of whether they actually own the identity URL
listed in the request.
In other words, you've completely missed all the security portions of the
protocol.
Carl
More information about the yadis
mailing list