cachability of delegated identity URLs / Consumer-Server comms

Ken Horn ken.horn at
Thu Jun 9 05:55:26 PDT 2005

Paul Crowley wrote:

> Ken Horn wrote:
>> OK, maybe I'm misreading the protocol / spec. Was the flow I 
>> mentioned correct? My gut feel is to only accept requests from 
>> consumers that already know something I've given to a user. Maybe I'm 
>> just insecure though... (or should that be paranoid.. :)
> The flow is correct.  We use cryptographic cleverness at the server 
> end to obviate the need for the server to store anything.  The 
> protocol doesn't detail this cleverness because it doesn't need to, 
> but basically the server will use a cryptographic transformation to 
> map from the handle to the secret, so it doesn't have to store each 
> entry in the handle -> secret map.
I think this needs to be documented - perhaps as a side bar / 
non-binding note, since it's not obvious (to me anyway).  So the server 
just holds an integer (as a private key?) -- and this expires?

More information about the yadis mailing list