shared secret alternative to DSA

Jean-Luc Delatre jld at
Sun Jun 5 23:54:02 PDT 2005

Paul Crowley wrote:

>> I am not convinced by "secrets in the clear"...
> OK.  Why, incidentally?

Of course for very short lived secrets this is debatable.

>> What about adding some kind of key in the <link re=...  key='... 
>> base64..."  with which one could authenticate the server replies?
>> Because there are really only *two* parties from the very beginning: 
>> the consumer and the ID url issued thru the browser and each of those 
>> is implicitely trustworthy to the other.
> I like this proposal a lot: it is much closer to my personal 
> allegiences on the matter of PKI, which are with things like SPKI and 
> YURL. Unfortunately, to do it right it means importing all of 
> something like SPKI into OpenID, which would kill it stone dead at a 
> stroke.

You assume that this key is bound to the server, it could be per user.
This way, whenever some key is compromised, which will *certainly* 
happen just like user passwords and accounts will be, the confidence in 
the ID url can be restored by renewing the key.
Also if this key is refreshed frequently enough (days? weeks? at 
(knowledgeable) user initiative?) and is used to tag  the comments or 
other kind of interactions, only the contents pertaining to the 
compromised "period" will become dubious.

Still rambling about "secrets in the clear", what about an SKEY scheme:



More information about the yadis mailing list