[OpenID] Verisign Announces Free OpenID Digital Lockbox
Peter Williams
pwilliams at rapattoni.com
Mon Feb 23 05:43:42 UTC 2009
Still say hash chains are the perfect handoff between OP and OAUth consumer ( in order to provision the OAuth consumer key/secret)
> This is pretty tricky, because the solution would probably imply that
> the OP is able to generate OAuth credentials for the SP. Presumably
> both
> the SP and the OP would need to agree on how to provision and verify
> consumer keys (and consumer secrets) and somehow the user would need a
> way to revoke an OAuth credential after it's been issued.
Assertion provides public root of hash chain plus pointer to particular anchored extension in user's (vanity) XRDS, which contains the release hash chain value for that day, per OAuth consumer.
Patent it quick (defensively).
Essentially, hash chain value is a short-life capability, which self-revokes at the end of the period=day. This assumes the OAuth consumer is trustworthy (which I understand to be an problem generically, in the OAuth world).
More information about the general
mailing list