shared secret alternative to DSA
Jean-Luc Delatre
jld at club-internet.fr
Sun Jun 5 23:54:02 PDT 2005
Paul Crowley wrote:
>
>> I am not convinced by "secrets in the clear"...
>
>
> OK. Why, incidentally?
Snooping.
Of course for very short lived secrets this is debatable.
>> What about adding some kind of key in the <link re=... key='...
>> base64..." with which one could authenticate the server replies?
>> Because there are really only *two* parties from the very beginning:
>> the consumer and the ID url issued thru the browser and each of those
>> is implicitely trustworthy to the other.
>
>
> I like this proposal a lot: it is much closer to my personal
> allegiences on the matter of PKI, which are with things like SPKI and
> YURL. Unfortunately, to do it right it means importing all of
> something like SPKI into OpenID, which would kill it stone dead at a
> stroke.
You assume that this key is bound to the server, it could be per user.
This way, whenever some key is compromised, which will *certainly*
happen just like user passwords and accounts will be, the confidence in
the ID url can be restored by renewing the key.
Also if this key is refreshed frequently enough (days? weeks? at
(knowledgeable) user initiative?) and is used to tag the comments or
other kind of interactions, only the contents pertaining to the
compromised "period" will become dubious.
Still rambling about "secrets in the clear", what about an SKEY scheme:
http://www.derkeiler.com/Newsgroups/sci.crypt/2003-03/0694.html
http://www.derkeiler.com/Newsgroups/sci.crypt/2003-03/0767.html
Cheers,
JLD
More information about the yadis
mailing list