<div dir="ltr">Reusing the association secret and encrypting attribute values using that as a shared key is an interesting possibility. It's not in any of the specs, however, and I've heard some in the OpenID community look down on 'overloading' an association. But it certainly sounds possible.<br>
<br><div class="gmail_quote">On Sun, Aug 3, 2008 at 2:17 PM, Johnny Bufu <span dir="ltr"><<a href="mailto:johnny.bufu@gmail.com">johnny.bufu@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
<br>
On 03/08/08 11:27 AM, <a href="mailto:Easysurfer@gmx.de">Easysurfer@gmx.de</a> wrote:<br>
> I'd like to transmit sensitive data over the Attribute Exchange Extension and was wondering about the best way for encryption.<br>
</div>[...]<br>
<div class="Ih2E3d">> Any ideas? I'd like to pass the info over using only the OpenID<br>
> protocol, not invent another protocol for my own use.<br>
<br>
</div>If what you're trying to avoid is the exchange of another secret key<br>
(and not require the RP to offer a HTTPS endpoint), then your only<br>
option is to enforce statefull mode and use the shared association<br>
secret to encrypt the attributes.<br>
<br>
Otherwise, the exchange of the encryption key can be done through<br>
attribute exchange. Working with the same assumption that RPs can't<br>
generally afford HTTPS endpoints, the key exchange would have to be<br>
initiated by the RP against a HTTPS OP endpoint, e.g. through a AX store<br>
request.<br>
<font color="#888888"><br>
<br>
Johnny<br>
</font><div><div></div><div class="Wj3C7c"><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>