[OpenID] Is the Diffie-Helman key exchange mechanism necessary?

Simon Spero ses at unc.edu
Sun Mar 18 03:08:17 UTC 2007

I'm not sure if the DH mechanism is that big a win.

If the claimed ID is an https:// URL, then the  discovery will involve an
SSL  key exchange.

If the identity provider endpoint is on the same  server, then the session
created in the discovery process will almost certainly still be valid.
If that key is valid, then relying  on transport level encryption will avoid
the additional PKOPs.

If  the session  is expired, or if the endpoint is on a separate host then
establishing an SSL connection will involve some PKOPs; any DH PKOPs will
still be superfluous.

Why not rely on the transport layer to cover the key exchange ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070317/bd6ed58c/attachment-0001.htm>

More information about the general mailing list