OpenID status update

[Ken Horn]

Is a middle ground to declare a version / protocol name with the current 
impl? An extra field, openid.version=1.0 or something to make the sig 
(in particular) less opaque like:
    openid.sig={DSAwithSHA1}MNalckcmw23429387492834....
or even:
    openid.sig={base64(DSA(SHA1(tokenV1)))}MNalckcmw23429387492834....

Debugging differently signed / encoded tokens will be horrific if they 
change later. It would be nice to avoid over time:
    openid.sig=MNsdfdfs
    openid.sig2=alkjdhcaldsakjd
etc

Jean-Luc Delatre wrote:

> Brad Fitzpatrick wrote:
>
>> I don't have the necessary crypto background to do this on my own, and
>> all my code/work is essentially done at this point, so I'm doing all I
>> can to not push this live on LiveJournal /tonight/.
>>  
>>
> Yes indeed!
> What's the point of spreading Yet Another Crock?
>
> http://it.slashdot.org/comments.pl?sid=150061&cid=12580113
>
> I don't agree *at all* with that rush forward.
> There is no shortage of lousy software all over the place.
> I would much prefer that enough time be given to Paul Crowley to 
> review the protocol with added contributions from list members.
>
> I do agree with some of your points like no encryption in the core and 
> not sending private keys in the clear.
> I don't have the necessary crypto background either but I try to 
> educate myself :
>
> http://dimacs.rutgers.edu/Workshops/Security/program2/boyd/final.html
>
> The fact that a protocol is difficult to understand does not mean that 
> it is diffcult to implement, the availability of proper 
> packages/libraries has more impact.
>
> Cheers,
>
> JLD
>
> P.S. I have trouble with current test trials on livejournal, it 
> appears that some parameters names get mangled
> in the returned page like 'openid_assert_identity' instead of 
> 'openid.assert_identity', how's that?
>
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>
>
>