DH Support and Marketing

Jean-Luc Delatre jld at club-internet.fr
Wed Jun 22 22:20:24 PDT 2005


Would it be possible to look again at my proposal which have been 
quickly ditched by Paul,
having some server authentication key in the <link rel=...> along with 
the server URL?

http://lists.danga.com/pipermail/yadis/2005-June/000582.html
http://lists.danga.com/pipermail/yadis/2005-June/000586.html

Quoting Paul from this last post : "doing their own PK management is 
beyond the majority of OpenID users"
Yes, but it is *not* the user which would have to manage such keys.

We have to assume at the very least that the user has the ability to 
introduce the <link rel=...> element in his home page.
Thus the involved server could create and distribute those keys for the 
users to paste in their <link rel=...>.
Only at this distribution time will there be a vulnerability but it will 
be an *all or nothing* case (the user being fooled on using an "evil" 
server) and no more problematic than for them to renew any other kind of 
password in the absence of an SSL secured connection.

Any thoughts on this?

JLD






More information about the yadis mailing list