Improving OpenID's use of cryptography 3 - odds and ends

Ken Horn ken.horn at clara.co.uk
Thu Jun 2 06:31:08 PDT 2005


Can we make sure that the spec details the full protocol and algorithms, 
rather than relying on specific implementation libraries/details? If 
openID is to take off, I think there will need to be many 
implementations in several (if not many) languages. Not trying to be 
bullish, but the conversations on the protocols always seem to veer into 
implementation discussions.

Martin Atkins wrote:

>Paul Crowley wrote:
>  
>
>>If you really want to get stateless, with sufficient cunning you could
>>use encryption and cookies to store all your state as cookies on the
>>client's browser and avoid the need for any server-side storage at all,
>>apart from for the encryption secret...
>>
>>    
>>
>
>I already run a site which uses a trick like that to avoid storing login
>session state on the server, but I do it while assuming that it's only
>slightly more secure than it would be to just store the user's password
>in a cookie. Still, coming from someone who clearly knows a lot more
>cryptography than I do I'll take the assersion that this is possible and
>secure on trust for now.
>
>  
>
>>I think it's more important that the API to the script be simple than
>>that the internals be so - so long as the script is easy to deploy and
>>use, a little extra internal complexity won't hurt them.   In any case,
>>the only part of my proposal that's not really essential for security is
>>the change to HMAC-SHA1, and that's a simplification that will encourage
>>adoption.
>>    
>>
>
>Certainly, if all the details are hidden inside a consumer library then
>I would accept that as simple, as long as the library doesn't have any
>crazy dependencies. Ideally such a library would also be able to operate
>both in stateful (with an application-supplied external storage
>implementation) and stateless (where such an implementation is not
>supplied) modes and handle your "sufficient cunning" as noted above.
>
>_______________________________________________
>yadis mailing list
>yadis at lists.danga.com
>http://lists.danga.com/mailman/listinfo/yadis
>
>
>
>
>  
>



More information about the yadis mailing list