check_authentication mode is weird
paul at ciphergoth.org
Tue Jun 14 16:29:07 PDT 2005
Brad Fitzpatrick wrote:
> I implemented the check_authentication mode (the one for dumb consumers
> that can't do caching or sha1, etc) but found it a little weird:
> -- you're sending a bunch of params to the server in a request
> but they look/feel like response parameters
They sort-of are. The consumer is saying to the server "here's the
response I got; does it check out?"
> 1) don't care. (easiest for dumb consumers) and then we just
> add a new check mode in the future if we need it.
> 2) care, somehow. (probably not worth it?) I was thinking of
> maybe making a generic "check_sig" mode where consumer just
> sends "assoc_handle", "token", and "sig", and server just
> responds "yes" or "no", but that requires consumers making
> the token, concatenating it all.
"yes" or "no" doesn't cut it - because the server and client clocks may
differ, the server must interpret the valid_to part of the token and
translate it into relative time.
Apart from that, I also see only these two options, though there may be
others I haven't thought of. I think we should do whatever makes least
work for the consumer, which currently looks like option 1 to me.
That's the whole point of dumb mode, after all.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis