cachability of delegated identity URLs / Consumer-Server comms
Ken Horn
ken.horn at clara.co.uk
Thu Jun 9 05:55:26 PDT 2005
Paul Crowley wrote:
> Ken Horn wrote:
>
>> OK, maybe I'm misreading the protocol / spec. Was the flow I
>> mentioned correct? My gut feel is to only accept requests from
>> consumers that already know something I've given to a user. Maybe I'm
>> just insecure though... (or should that be paranoid.. :)
>
>
> The flow is correct. We use cryptographic cleverness at the server
> end to obviate the need for the server to store anything. The
> protocol doesn't detail this cleverness because it doesn't need to,
> but basically the server will use a cryptographic transformation to
> map from the handle to the secret, so it doesn't have to store each
> entry in the handle -> secret map.
>
I think this needs to be documented - perhaps as a side bar /
non-binding note, since it's not obvious (to me anyway). So the server
just holds an integer (as a private key?) -- and this expires?
More information about the yadis
mailing list