Improving OpenIDs use of cryptography 1 - using a MAC
Brad Fitzpatrick
brad at danga.com
Thu Jun 2 10:25:35 PDT 2005
On Thu, 2 Jun 2005, Paul Crowley wrote:
> Brad Fitzpatrick wrote:
> > Ignoring snooping (which we've already agreed is unlikely), how do you get
> > the shared secret from identity server to consumer? Obviously not through
> > an HTTP redirect, because then the user and WiFi is involved. It can't be
> > a publicly accessible URL on the ID server that the consmer can GET,
> > otherwise anybody could get it.
>
> Ah, but it can! Sorry I haven't made this clear already. It's very
> simple: the server generates a new secret every time it's asked for one.
Ah, right. Thanks.
> The clever bit is that the server doesn't have to store lots of secrets.
> It stores a secret per day.
Yeah, like LJ::get_secret. (thanks for using that as an example earlier
so I could understand. :))
Somewhat related, Ben Trott brought up using Diffie-Hellman for shared
secret exchange, rather than trusting that connections can't be sniffed.
Thoughts on that? I don't know enough about it, like how much p and g can
be re-used. I also haven't thought up who would generate p/g and what the
HTTP requests would look like.
- Brad
More information about the yadis
mailing list