[OpenID] Is the Diffie-Helman key exchange mechanism necessary?
drecordon at verisign.com
Mon Mar 19 18:49:47 UTC 2007
So yes, when using SSL DH becomes no longer needed to protect the MAC
key. OpenID pre-1.0 originally had no DH, though people encouraged Brad
to add it for non-SSL cases.
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Simon Spero
Sent: Saturday, March 17, 2007 8:08 PM
To: general at openid.net
Subject: [OpenID] Is the Diffie-Helman key exchange mechanism necessary?
I'm not sure if the DH mechanism is that big a win.
If the claimed ID is an https:// URL, then the discovery will involve
an SSL key exchange.
If the identity provider endpoint is on the same server, then the
session created in the discovery process will almost certainly still be
If that key is valid, then relying on transport level encryption will
avoid the additional PKOPs.
If the session is expired, or if the endpoint is on a separate host
then establishing an SSL connection will involve some PKOPs; any DH
PKOPs will still be superfluous.
Why not rely on the transport layer to cover the key exchange ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general