Server losing secrets?

Paul Crowley paul at
Fri Jun 24 23:21:09 PDT 2005

Carl Howells wrote:
> I think that would work fine.  Just remember that 'invalidate_handle' 
> would need to be in the openid.signed list in that case, too.  (And be 
> part of the signature, obviously.)

Actually I'm not 100% sure that it would.  After all, the consumer is 
falling back to dumb mode, and the server already knows what handles it 
can accept.

If the consumer is falling back to dumb mode, then all it does is take 
what it received, change "id_res" to "check_authentication" and defer it 
to the server.  "invalidate_handle" will be passed on uninterpreted. 
The server can easily check whether it's able to use the handle in the 
"invalidate_handle" field; if it isn't, it copies that 
"invalidate_handle" field into the reply, at which point the client 
interprets it and acts on it.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list