security
Pete Rowley
prowley at redhat.com
Wed Oct 25 20:35:10 UTC 2006
Dan Lyke wrote:
> Personally, I'm thinking that some sort of private key and a cache so
> that an RP can verify that it's retrieving information from the same
> IdP it did before is much more likely to actually get deployed.
>
Sure - but that doesn't make it a good solution. Introducing persistent
key pairs at all requires the group to work on key management. How do
you revoke a key? How do you recover from key loss? Domain transfer?
Adding keys without answers to those questions makes the "solution"
unwise to deploy even if it _is_ deployed.
Or you could use certs.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061025/6f6d6064/attachment-0002.bin>
More information about the general
mailing list