[OpenID] Secure attribute transmission
Andrew Arnott
andrewarnott at gmail.com
Sun Aug 3 21:47:34 UTC 2008
Reusing the association secret and encrypting attribute values using that as
a shared key is an interesting possibility. It's not in any of the specs,
however, and I've heard some in the OpenID community look down on
'overloading' an association. But it certainly sounds possible.
On Sun, Aug 3, 2008 at 2:17 PM, Johnny Bufu <johnny.bufu at gmail.com> wrote:
>
>
> On 03/08/08 11:27 AM, Easysurfer at gmx.de wrote:
> > I'd like to transmit sensitive data over the Attribute Exchange Extension
> and was wondering about the best way for encryption.
> [...]
> > Any ideas? I'd like to pass the info over using only the OpenID
> > protocol, not invent another protocol for my own use.
>
> If what you're trying to avoid is the exchange of another secret key
> (and not require the RP to offer a HTTPS endpoint), then your only
> option is to enforce statefull mode and use the shared association
> secret to encrypt the attributes.
>
> Otherwise, the exchange of the encryption key can be done through
> attribute exchange. Working with the same assumption that RPs can't
> generally afford HTTPS endpoints, the key exchange would have to be
> initiated by the RP against a HTTPS OP endpoint, e.g. through a AX store
> request.
>
>
> Johnny
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080803/2a7c8ef8/attachment-0002.htm>
More information about the general
mailing list