Server losing secrets?

Brad Fitzpatrick brad at
Sat Jun 25 10:43:07 PDT 2005

On Sat, 25 Jun 2005, Paul Crowley wrote:

> Carl Howells wrote:
> > I think that would work fine.  Just remember that 'invalidate_handle'
> > would need to be in the openid.signed list in that case, too.  (And be
> > part of the signature, obviously.)
> Actually I'm not 100% sure that it would.  After all, the consumer is
> falling back to dumb mode,


> and the server already knows what handles it can accept.


> If the consumer is falling back to dumb mode, then all it does is take
> what it received, change "id_res" to "check_authentication" and defer it
> to the server.  "invalidate_handle" will be passed on uninterpreted.


> The server can easily check whether it's able to use the handle in the
> "invalidate_handle" field; if it isn't, it copies that
> "invalidate_handle" field into the reply, at which point the client
> interprets it and acts on it.

So you're saying:  "Who cares if it's in the 'signed' group, since we're
doing an actual POST to the id server anyway...  The id server can just
include it in its response, so we know it didn't come from a casual
attacker just trying to empty our cache."

- Brad

More information about the yadis mailing list