[OpenID] Is the Diffie-Helman key exchange mechanism necessary?
Simon Spero
ses at unc.edu
Sun Mar 18 03:08:17 UTC 2007
I'm not sure if the DH mechanism is that big a win.
If the claimed ID is an https:// URL, then the discovery will involve an
SSL key exchange.
If the identity provider endpoint is on the same server, then the session
created in the discovery process will almost certainly still be valid.
If that key is valid, then relying on transport level encryption will avoid
the additional PKOPs.
If the session is expired, or if the endpoint is on a separate host then
establishing an SSL connection will involve some PKOPs; any DH PKOPs will
still be superfluous.
Why not rely on the transport layer to cover the key exchange ?
Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070317/bd6ed58c/attachment-0001.htm>
More information about the general
mailing list