[OpenID] why is xri so obtuse?

Bob Wyman bob at wyman.us
Wed Jan 3 00:57:34 UTC 2007


On 1/2/07, James A. Donald <jamesd at echeque.com> wrote:
>
> Calculate the probability of deliberately or
> maliciously duplicating an existing key.


The probability is non-zero -- although very small.

For some definitions of "secure," self-generated keys are not secure -- at
least, if you use the kind of definition for "secure" that Dave Kearns seems
to be using. But, you may have a less stringent definition of what it means
to be secure and thus the risk of duplication may be low enough to satisfy
you even though Dave wouldn't be satisfied. In that case, you would say
self-generated keys are secure and Dave would say they aren't. So, you would
both be correct -- within the bounds of your own definitions of what it
means to be "secure"... On the other hand, if you agree with Dave, even a
little bit, then, you would probably tend to use a central issuer who can
prevent some of the failure modes that lead to duplications. But, even then,
you would have to recognize that no known public/private key pair system can
give you guaranteed persistent security over all time. Thus, even if you end
up agreeing with Dave, you would still both be wrong. So, take your pick.
You're either both right or both wrong and you are both right and wrong at
the same time. In any case, a tie is the best you can do here.

bob wyman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070102/1c46cff0/attachment-0002.htm>


More information about the general mailing list