Maximizing cacheing of server secrets

Brad Fitzpatrick brad at
Sun Jun 5 11:46:37 PDT 2005

On Sun, 5 Jun 2005, Paul Crowley wrote:

> This is just a little extra for my list of odds and ends.
> We want to be able to use the same cached server secret to authenticate
> more than one user on that server.  However, the URLs for those users
> are different, so how are we to know that we can re-use these server
> secrets?

I was hoping this would get addressed!

> Consider the "Randy attack":

Randy didn't like that name.  I was just teasing him.  :-)

The official name is "ambiguous loop problem":

> The most straightforward and secure solution I see is to separate out
> the function of delegating identification from performing it.  Brad and
> I put URLs more like this on our web pages:
> <link rel="openid.delegate"
> href="" />


So the wire will contain "is_identity="
but the consumer library will still validate as the
validated ID.

> If I don't want to give away what LJ user I am to, then as
> Brad suggests, I can delegate to a URL like


- Brad

More information about the yadis mailing list