Improving OpenIDs use of cryptography 1 - using a MAC

Brad Fitzpatrick brad at
Thu Jun 2 10:25:35 PDT 2005

On Thu, 2 Jun 2005, Paul Crowley wrote:

> Brad Fitzpatrick wrote:
> > Ignoring snooping (which we've already agreed is unlikely), how do you get
> > the shared secret from identity server to consumer?  Obviously not through
> > an HTTP redirect, because then the user and WiFi is involved. It can't be
> > a publicly accessible URL on the ID server that the consmer can GET,
> > otherwise anybody could get it.
> Ah, but it can!  Sorry I haven't made this clear already.  It's very
> simple: the server generates a new secret every time it's asked for one.

Ah, right.  Thanks.

> The clever bit is that the server doesn't have to store lots of secrets.
>   It stores a secret per day.

Yeah, like LJ::get_secret.  (thanks for using that as an example earlier
so I could understand.  :))

Somewhat related, Ben Trott brought up using Diffie-Hellman for shared
secret exchange, rather than trusting that connections can't be sniffed.
Thoughts on that? I don't know enough about it, like how much p and g can
be re-used.  I also haven't thought up who would generate p/g and what the
HTTP requests would look like.

- Brad

More information about the yadis mailing list