[OpenID] Is the Diffie-Helman key exchange mechanism necessary?

Recordon, David drecordon at verisign.com
Mon Mar 19 18:49:47 UTC 2007

Hey Simon,
So yes, when using SSL DH becomes no longer needed to protect the MAC
key.  OpenID pre-1.0 originally had no DH, though people encouraged Brad
to add it for non-SSL cases.


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Simon Spero
Sent: Saturday, March 17, 2007 8:08 PM
To: general at openid.net
Subject: [OpenID] Is the Diffie-Helman key exchange mechanism necessary?

I'm not sure if the DH mechanism is that big a win.  

If the claimed ID is an https:// URL, then the  discovery will involve
an SSL  key exchange.  

If the identity provider endpoint is on the same  server, then the
session created in the discovery process will almost certainly still be
If that key is valid, then relying  on transport level encryption will
avoid the additional PKOPs.  

If  the session  is expired, or if the endpoint is on a separate host
then establishing an SSL connection will involve some PKOPs; any DH
PKOPs will still be superfluous. 

Why not rely on the transport layer to cover the key exchange ?  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070319/d6be2387/attachment-0002.htm>

More information about the general mailing list