[OpenID] RP's storing user-data at OP's (but inaccessible to OP's)

SitG Admin sysadmin at shadowsinthegarden.com
Thu Apr 30 05:08:48 UTC 2009

Just an odd thought that came to me while considering OAuth; and also 
while wondering how to privately store users' data off-site so that 
my RP wouldn't need to retain any data on users at ALL; 
(asymmetrically) encrypt the key and some validating data (to confirm 
decryption later), then wrap up that and all the data to transmit to 
the OP, which would be responsible for sending the user back with 
that data later on. Exporting the data (including selectively, if the 
user decided they didn't want to export *all* of it) could be done 
with different keys, appropriate to the party receiving that user's 
data. Even then, the RP would hold that user's data only temporarily, 
long enough to transmit elsewhere.


More information about the general mailing list