Improving OpenID's use of cryptography 3 - odds and ends

Paul Crowley paul at
Wed Jun 1 20:14:27 PDT 2005

I'm worried by the format of what is signed - what guarantees that the 
sequence "::" can't turn up in any of the things being signed?  You 
should check for this sequence in everything you sign and reject if it's 
present.  Better yet, use a really robust means of concatenation such as 
SPKI's length:string format: if you want to put together two tokens, 
"hello" and "mum", they are expressed as 5:hello3:mum.  That way 
ambiguity is impossible.

OpenID consumers and servers should run NTP.  If a timestamp appears to 
be in the future, it probably makes sense to tolerate it so long as the 
discrepancy is no more than a few seconds.  (This should have gone into 
"lifespans" - sorry!)

You should make it explicit that the return URL should always contain a 
nonce, and should be checked.

In general, it would be good to go into more detail on exactly what 
precautions an identity client, or server, need to follow to preserve 
security.  You mention a couple (don't give away why identity was 
refused in the URL; don't accept trust roots like http://* but I 
suspect there are more that you've bourne in mind while coding 
LiveJournal's OpenID implementation that need documented here - things 
about what you need to tell or warn the user, for example.

I proposed an SSO protocol similar to OpenID a while back: see

\/ o\ Paul Crowley, paul at

More information about the yadis mailing list