Field separators
Paul Crowley
paul at ciphergoth.org
Mon Jun 6 00:52:52 PDT 2005
Brad Fitzpatrick wrote:
> your call, security dictator.
I'll have a quick look to see if there are existing DH libraries this
would break. Anyone know what's already out there?
> Fail and try again works fine for consumer to idserver, but once UA
> redirects are involved you run into both latency and max-redirects limits
> in the browser.
But by the time the UA redirects are involved, the consumer already
knows what authentication is going to be used - they have to, because
they have to know the secret key handle that's going to be used. Unless
they're in dumb consumer mode, in which case they don't care what
authentication is used because the server's going to do all the work for
them.
> How about "auth_pref" is optional and defaults to
> "hmac-sha1", which all servers must support.
Then we don't need to add it to the protocol now - we can do it later,
when we add the next hash function.
> No love for backwards compatibility.
Yay.
> Old protocol mode will be immediately removed from the CPAN code when new
> code is added. (have we actually decided on this new protocol? is DSA
> out? I'm feeling like it is?)
Certainly looks to me as if the protocol is settling down - I think
adding DH answered the remaining objections to dropping DSA in favour of
HMAC.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list