DH Support and Marketing
Jean-Luc Delatre
jld at club-internet.fr
Wed Jun 22 22:20:24 PDT 2005
Would it be possible to look again at my proposal which have been
quickly ditched by Paul,
having some server authentication key in the <link rel=...> along with
the server URL?
http://lists.danga.com/pipermail/yadis/2005-June/000582.html
http://lists.danga.com/pipermail/yadis/2005-June/000586.html
Quoting Paul from this last post : "doing their own PK management is
beyond the majority of OpenID users"
Yes, but it is *not* the user which would have to manage such keys.
We have to assume at the very least that the user has the ability to
introduce the <link rel=...> element in his home page.
Thus the involved server could create and distribute those keys for the
users to paste in their <link rel=...>.
Only at this distribution time will there be a vulnerability but it will
be an *all or nothing* case (the user being fooled on using an "evil"
server) and no more problematic than for them to renew any other kind of
password in the absence of an SSL secured connection.
Any thoughts on this?
JLD
More information about the yadis
mailing list