Net::OpenID::Server
Brad Fitzpatrick
brad at danga.com
Tue May 24 15:02:31 PDT 2005
On Wed, 25 May 2005, Phillip Pearson wrote:
> One concern about this is that for the web server to be able to sign
> requests, it has to be able to get at the private key. If this is run
> on a shared host, other users on that host are likely to be able to
> read the key as well. So while it helps make things more
> *distributed*, it's not necessarily more *secure* - although some sort
> of setuid wrapper would fix this, I suppose.
That's a configuration problem. Your host should have each Apache/PHP
process owned by the uid/gid of each customer, and you guys shouldn't have
access to see each other's files.
- Brad
More information about the yadis
mailing list