[OpenID] D-H vs SSL
Allen Tom
atom at yahoo-inc.com
Thu Mar 19 18:29:20 UTC 2009
If we consider OAuth's secret exchange mechanism for HMAC-SHA1 sigs,
* OAuth Service Providers usually issue a Consumer Secret to the
developer, without any input from the developer. (hopefully via HTTPS)
* OAuth Request Token and Access Token secrets are issued by the
Service Provider to the Consumer (also, hopefully via HTTPS),
without any input from the Consumer
Returning cleartext secrets via HTTPS would be consistent with OAuth.
Although DH on top of SSL is safer than cleartext and SSL, is the
overhead of having the spec discuss DH worth it? If the OP is unable to
generate a strong secret on its own, or if the transport layer between
the RP and OP cannot be secured using HTTPS, then arguably the entire
system has issues.
I only mention DH, not because I have an issue with DH, but because one
of OpenID's most desirable traits is its relative simplicity. The spec
is pretty straightforward, and it's not all that hard to implement.
Sites that want a richer (and more complicated) SSO protocol standard
have alternatives that are already in production and are widely used.
Allen
Ben Laurie wrote:
> Ah. I see.
>
> So, I am going to be lazy, because I have not checked the spec, but
> its considered good practice when establishing a shared secret for
> both sides to contribute to that secret. Is that true for the
> cleartext secret?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090319/0967e468/attachment-0002.htm>
More information about the general
mailing list