Improving OpenIDs use of cryptography 1 - using a MAC

Paul Crowley paul at
Fri Jun 3 08:03:30 PDT 2005

Ben Hyde wrote:
> One thing I sort of like about the design as it stands is the lack of 
> any state/account/relationship between the client and id servers. 

> I'd prefer not to introduce real accounts between the client-server <-> 
> id-server.

This proposal preserves those attributes.  While you can cache the 
HMAC-SHA1 secret just as you can cache the DSA key, you don't have to. 
You only have to keep it for the lifespan of this one authentication 
attempt, and you have to have some state for that long anyway for 
security.  You can even use cunning tricks to encrypt it into the return 
URL if you don't want to store it.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list