Maximizing cacheing of server secrets
Brad Fitzpatrick
brad at danga.com
Sun Jun 5 11:46:37 PDT 2005
On Sun, 5 Jun 2005, Paul Crowley wrote:
> This is just a little extra for my list of odds and ends.
>
> We want to be able to use the same cached server secret to authenticate
> more than one user on that server. However, the URLs for those users
> are different, so how are we to know that we can re-use these server
> secrets?
I was hoping this would get addressed!
> Consider the "Randy attack":
Randy didn't like that name. I was just teasing him. :-)
The official name is "ambiguous loop problem":
http://openid.net/ambig-loop.gif
> The most straightforward and secure solution I see is to separate out
> the function of delegating identification from performing it. Brad and
> I put URLs more like this on our web pages:
>
> <link rel="openid.delegate"
> href="http://www.livejournal.com/users/ciphergoth" />
Nice.
So the wire will contain "is_identity=http://www.livejournal.com/users/ciphergoth"
but the consumer library will still validate http://ciphergoth.com/ as the
validated ID.
> If I don't want to give away what LJ user I am to ydnar.com, then as
> Brad suggests, I can delegate to a URL like
>
> http://www.livejournal.com/auth/anonuser?id=27349832
Nice.
- Brad
More information about the yadis
mailing list