cachability of delegated identity URLs / Consumer-Server comms
Ken Horn
ken.horn at clara.co.uk
Thu Jun 9 04:06:18 PDT 2005
Paul Crowley wrote:
> Ken Horn wrote:
>
>> If this is correct, I'm again uncomfortable with the server having to
>> create and store (in general) an association with the consumer (which
>> it has no reason to trust at this point) prior to being requested by
>> an authenticated (to the server) user.
>
>
> Most servers, and certainly any server worried about DoS attacks, will
> not store anything when an association is established.
>
OK, maybe I'm misreading the protocol / spec. Was the flow I mentioned
correct? My gut feel is to only accept requests from consumers that
already know something I've given to a user. Maybe I'm just insecure
though... (or should that be paranoid.. :)
>> If the flow above is correct, do we have a fallback if the secrets
>> change prior to expiry
>
>
> Secrets can never change, but they can be lost. It would be useful to
> have a somewhat wider range of errors that the server can give the
> consumer during identification; that's something that's been flagged
> up but not discussed.
>
Why can't they change? It's maybe terminology but losing a secret, is
one route of change. Another might be to force re-association. Can't a
server choose to change it's secrets / keys etc whenever it chooses?
> > Again, the DSA flow was more robust I think in this regard.
>
> The new protocol is more robust. The DSA secret keys were exactly as
> vulnerable to being lost as the secrets behind the HMAC secrets, but
> because they didn't expire there was no replacement path.
Isn't re-request the replacement path? On the DSA flow (dare I call it
version 1? :), every time I started my process it used fresh keys --
worked fine.
More information about the yadis
mailing list