[OpenID] is openid 2.0 a lightweight identity system?
sappenin at gmail.com
Thu Feb 8 23:40:53 UTC 2007
> -----Original Message-----
> From: Robert Yates [mailto:robyates70 at gmail.com]
> For example, how much resistance would there actually be to removing
> "Diffie-Hellman Associations" and instead always relying upon a
> "Direct Request". If folks really want to use associations they can
> always fall back to openid 1.1 which "should" be supported by all
> parties anyway.
Actually, Hans and I have been having a pretty good discussion about why
Direct Verification is more susceptible to MITM attacks, whereas DH
Associations make the protocol less susceptible to these types of attacks.
If you've recently subscribed the list, you can read the archives here:
See the subject: "[OpenID] OpenId Association Timeout Recommendations"
(The subject doesn't quite match the topic of the thread, unfortunately).
More information about the general