Question: Yadis Service URIs in the OpenID Auth case
Kevin Turner
kevin at janrain.com
Fri Aug 25 18:06:55 UTC 2006
On Thu, 2006-08-24 at 21:25 -0700, Johannes Ernst wrote:
> That makes it much more possible to share D-H secrets between
> multiple endpoints within the same service element. But is that what
> we think should be the normal case?
For OpenID in particular (not making a general statement that applies to
all Yadis or XRI-using services), I would not recommend ever assuming
that two different endpoint URIs can share secrets.
> Specifically, if I negotiate a shared secret with
> http://example.com/
> will I be able to use that same shared secret with
> httpS://example.com/ ?
This example seems particularly troubled, as it throws away much of the
security gained by having SSL certificates from trusted authorities.
(Because the RP won't have checked the certificate directly, which
leaves it up to the user-agent to do, and the user may well be trained
to click through the "warning! certificate problem" message boxes, as
they are all too common, between self-signed certificates and the
inability of vhosted servers without their own IP to get a certificate
with their hostname.)
More information about the yadis
mailing list