Improving OpenIDs use of cryptography 1 - using a MAC

Paul Crowley paul at
Thu Jun 2 11:31:27 PDT 2005

Brad Fitzpatrick wrote:
> Somewhat related, Ben Trott brought up using Diffie-Hellman for shared
> secret exchange, rather than trusting that connections can't be sniffed.
> Thoughts on that? I don't know enough about it, like how much p and g can
> be re-used.  I also haven't thought up who would generate p/g and what the
> HTTP requests would look like.

I can't see any point in this.  We already agree that an active attack 
is the most likely sort, and they will have no difficulty breaking this 
measure, so it would introduce enormous complexity in the implementation 
to very little gain.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list