[OpenID] RP's storing user-data at OP's (but inaccessible to OP's)
SitG Admin
sysadmin at shadowsinthegarden.com
Thu Apr 30 05:08:48 UTC 2009
Just an odd thought that came to me while considering OAuth; and also
while wondering how to privately store users' data off-site so that
my RP wouldn't need to retain any data on users at ALL;
(asymmetrically) encrypt the key and some validating data (to confirm
decryption later), then wrap up that and all the data to transmit to
the OP, which would be responsible for sending the user back with
that data later on. Exporting the data (including selectively, if the
user decided they didn't want to export *all* of it) could be done
with different keys, appropriate to the party receiving that user's
data. Even then, the RP would hold that user's data only temporarily,
long enough to transmit elsewhere.
-Shade
More information about the general
mailing list