Server losing secrets?
Paul Crowley
paul at ciphergoth.org
Sat Jun 25 14:31:55 PDT 2005
Brad Fitzpatrick wrote:
>>and the server already knows what handles it can accept.
>
> What?
Given a handle, the server can figure out whether it's able to produce
the associated secret.
> So you're saying: "Who cares if it's in the 'signed' group, since we're
> doing an actual POST to the id server anyway... The id server can just
> include it in its response, so we know it didn't come from a casual
> attacker just trying to empty our cache."
Exactly.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list