Improving OpenIDs use of cryptography 1 - using a MAC
Paul Crowley
paul at ciphergoth.org
Fri Jun 3 08:03:30 PDT 2005
Ben Hyde wrote:
> One thing I sort of like about the design as it stands is the lack of
> any state/account/relationship between the client and id servers.
> I'd prefer not to introduce real accounts between the client-server <->
> id-server.
This proposal preserves those attributes. While you can cache the
HMAC-SHA1 secret just as you can cache the DSA key, you don't have to.
You only have to keep it for the lifespan of this one authentication
attempt, and you have to have some state for that long anyway for
security. You can even use cunning tricks to encrypt it into the return
URL if you don't want to store it.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list