Minutes From Meeting Today
Recordon, David
drecordon at verisign.com
Mon Jun 26 21:26:53 UTC 2006
Considering the XRDS files used in Yadis are supposed to remain simple,
I'd lean toward ignoring normalization and latterly run the contents
through something like md5sum and compare the hashes. Obviously doing
it the "right way", just using md5sum as an example.
Maybe find a way to augment the Yadis file to say it has an equivalent
identity URL. Only allow http://X.example.com:Y/Z to point to
https://X.example.com:Y/Z or http://X.example.com:Y/Z. Then the RP
fetches what the user typed in, grabs the Yadis file, if if points to a
more secure (hard to define if this also allows changing the port) URL
which fits the pattern rules (same URL with only the scheme or port
changing) then the RP fetches that URL, gets its Yadis file, it should
include an SSL pointer to itself (remember they should be the same
file), then the RP compares the resulting hashes. If they are the same,
it uses the more secure URL, if different it alerts the user of a
possible attack.
Something like that, at least as a 10pm concept?
--David
-----Original Message-----
From: Granqvist, Hans
Sent: Monday, June 26, 2006 10:18 PM
To: Recordon, David; Martin Atkins; yadis at lists.danga.com
Subject: RE: Minutes From Meeting Today
> Could it be argued that if you hash the Yadis file returned at both
> non-SSL and SSL and it is the same then they should be treated the
> same?
I like the idea, if it's possible to overcome the usual
c14n/normalization issues.
Your solution would nip in the bud more esoteric issues of "do
https://abc.com and https://abc.com:8443 differ"
Hans
More information about the yadis
mailing list