[OpenID] rationale behind short-lived associations

David Recordon recordond at gmail.com
Mon Nov 30 02:12:19 UTC 2009 

I think I agree with you Will that there is little value of long lived
associations.  They reduce a bit of overhead, but renewing them every 24
hours shouldn't be too bad.  It seems prudent for an RP to renew the
association proactively versus waiting for a user to be signing in and
having the OP tell them that the association is no longer valid.  (Thus
creating additional wait time for the user.)

--David

On Sun, Nov 29, 2009 at 12:26 PM, Johannes Ernst <jernst+openid.net@
netmesh.us> wrote:

> I think it's because SSH keys are public/private key pairs, while OpenID
> associations are symmetric, i.e. two parties have to keep them safe and
> either of them has to trust the other that they keep them safe. (At least
> that's my guess ...) In the asymmetric case, nothing bad happens if a third
> party discovers somebody else's public key.
>
> Coincidentally one of the reasons that we based LID of public key pairs
> instead of symmetric keys.
>
> As you point out, making the lifetime shorter improves one thing but makes
> another thing harder, there's a tradeoff there.
>
>
> On Nov 29, 2009, at 10:34, Will Norris wrote:
>
> > One question has been bugging me for a while after reading the ICAM
> OpenID profile[0].  The ICAM profile specifies that associations must expire
> within at least 24 hours.  What's the rationale behind this?
> >
> > Or put another way, what about the benefits of using long-lived
> associations?  Take SSH host keys for example.  They MUST be long lived to
> actually serve the purpose they are intended for... to ensure that host
> you're talking to today is the same host you talked to yesterday, and the
> day before that.  Now for the really paranoid, you would verify the SSH host
> key out of band some way, but I'm certainly not suggesting that (I've gotten
> my fill of that with SAML metadata exchange).  But even without the out of
> band verification, there is a lot of value just in having the host key long
> lived.
> >
> > Why are these same principals not applied to OpenID associations?  Am I
> overloading the purpose of the association?
> >
> > [0]: http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
> >
> > -will
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091129/67eb8d56/attachment-0001.htm>

More information about the general mailing list