security

[Pete Rowley]

Dan Lyke wrote:
> There's a bit of a pause at editing "known_hosts" when the server  
> identity changes, and if the concensus runs away from an additional  
> layer of trust in terms of CAs, perhaps that's a place that we can  
> take a cue from SSH, asking relying parties to cache and verify in  
> subsequent connections the server identity.
>   
What would that do for them exactly? In the case of SSH there is 
presumably a limited number of hosts that one is interested in, and in 
an enterprise deployment the host keys can be distributed ahead of time. 
However, an RP will be expecting an unknown number of IdP's, what does 
key caching do for them? What action would they take when the keys don't 
match?

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061024/8bf2acb6/attachment-0002.bin>