URL relationship permanence

[Ernst Johannes]

Let me disagree with both of you guys .... you'd be right if gpg  
wasn't in the picture, but it is. So I think LID addresses this case,  
as Xageroth initially claimed.

The LID identity is backed up by a public gpg key, which is "your"  
public key. Presumably, when you lose your domain/URL, you don't also  
hand over your private key. (if you do, you are in bigger trouble  
than we are dealing with here anyway ...).

So if a relying party receives a LID-approved request (such as a  
single-sign-on request, or an authenticated message, or an  
authenticated query, or whatever LID profile ...), the relying party  
will authenticate that request against the public key exported by the  
corresponding LID. If that public key is different than it was last  
time, it indicates "we can make no assertion whether the 'old' and  
the 'new' LID have anything to do with each other" (although they  
look identical) exactly because of the scenario you are describing.

Makes sense?

On Jun 30, 2005, at 19:57, Xageroth Sekarius wrote:

> On 6/30/05, Martin Atkins <mart at degeneration.co.uk> wrote:
>
>> Xageroth Sekarius wrote:
>>
>>> LID gets around this problem by being the server as well and  
>>> therefore the
>>> assertions from the URL endpoint and assertions by the server are  
>>> the
>>> same.
>>>
>>
>> I don't really see how this helps. If you lose the domain your in,
>> someone can still pose as you by running a LID endpoint on their
>> newly-aquired domain that happens to be the same as that of a
>> pre-existing user. They just need to install LID's CGI script.
>>
>>
>>
>
> woops, you're right. wasn't thinking.
>

Johannes Ernst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20050630/6458bc9c/lid-0001.gif
-------------- next part --------------
  http://netmesh.info/jernst