Improving OpenIDs use of cryptography 1 - using a MAC

Ben Hyde bhyde at
Sat Jun 4 06:21:00 PDT 2005

On Jun 3, 2005, at 11:03 AM, Paul Crowley wrote:

> Ben Hyde wrote:
>> One thing I sort of like about the design as it stands is the lack of 
>> any state/account/relationship between the client and id servers.
>> I'd prefer not to introduce real accounts between the client-server 
>> <-> id-server.
> This proposal preserves those attributes.


> While you can cache the HMAC-SHA1 secret just as you can cache the DSA 
> key, you don't have to. You only have to keep it for the lifespan of 
> this one authentication attempt, and you have to have some state for 
> that long anyway for security.

the client server does need to get it before requests the assertion, 
correct?   (no big deal, just being sure I'm following along).

>   You can even use cunning tricks to encrypt it into the return URL if 
> you don't want to store it.

actually my note drawing attention to the issue of account-relationship 
between the client-server and the id-server was triggered by noticing 
the cunning in play.  that led me to wonder why such cunning wasn't 
more common.  my hypthisis was that in most systems an 
account-relationship is established, at which point tricks of this 
nature aren't the path of least resistance.

That reminded me that there at _lots_ of features that would leverage 
an account relationship.

I wanted put the bee in people's noddle - recognize that what ever your 
doing to maintain a pool of state in service of security is just the 
tip of the iceberg of state that _lots_ of features would love to have.

  - ben

  I forecast sunny weather!

More information about the yadis mailing list