Field separators

Paul Crowley paul at
Mon Jun 6 00:52:52 PDT 2005

Brad Fitzpatrick wrote:
> your call, security dictator.

I'll have a quick look to see if there are existing DH libraries this 
would break.  Anyone know what's already out there?

> Fail and try again works fine for consumer to idserver, but once UA
> redirects are involved you run into both latency and max-redirects limits
> in the browser.

But by the time the UA redirects are involved, the consumer already 
knows what authentication is going to be used - they have to, because 
they have to know the secret key handle that's going to be used.  Unless 
they're in dumb consumer mode, in which case they don't care what 
authentication is used because the server's going to do all the work for 

>  How about "auth_pref" is optional and defaults to
> "hmac-sha1", which all servers must support.

Then we don't need to add it to the protocol now - we can do it later, 
when we add the next hash function.

> No love for backwards compatibility.


> Old protocol mode will be immediately removed from the CPAN code when new
> code is added.  (have we actually decided on this new protocol?  is DSA
> out?  I'm feeling like it is?)

Certainly looks to me as if the protocol is settling down - I think 
adding DH answered the remaining objections to dropping DSA in favour of 
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list