Yadis Examples

Richard 'toast' Russo russor at msoe.edu
Tue May 17 09:20:15 PDT 2005


On Tue, 17 May 2005, Christopher Schmidt wrote:

> I'm not quite sure how I'm supposed to decrypt the DSA signature that
> LiveJournal's Yadis server returns: I tried importing the sig into GPG,
> to do it that way, but it seems that the public key that LiveJournal
> exports is not valid. I'm not really sure if it's important, either,
> unless I'm concerned about man-in-the-middle attacks, since the identity
> server must preserve arguments, and I can just pass an argument with the
> original URI along.
>
If you don't check the signature, it would be trivially easy for the man 
in the middle to be a 'rogue' browser.  The singature (and key exchange) 
is the only thing that lets you know for sure the other server validated 
the request.




More information about the yadis mailing list