[Openid-specs-ab] Spec call notes 9-Apr-12
Vladimir Dzhuvinov / NimbusDS
vladimir at nimbusds.com
Wed Apr 11 11:28:50 UTC 2012
> #570: General - removal of checkid endpoint
>
> Signature checking still needed for implicit flow - can be done by client
> Nat points out that without Check ID endpoint, we lose the ability to use a symmetric signature
> John believes that this observation is a red herring
> John points out that there are RSA libraries available for JavaScript
While I don't understand all implications involved here, I asked the
crypto guys at CertiVox for an opinion how well signature validation can
work in JavaScript and here is the response I got:
On Tue, 2012-04-10 at 12:00 +0000, Mike Scott wrote:
> Depends on what you mean by "how well". It can certainly be done, we have most of the Javascript code for it, and its reasonably fast.
>
> The computation required for verification varies between RSA and ECDSA. In RSA its very very fast, much faster than for signature. For ECDSA verification is much slower (and signature is faster). But even so, we can probably do it fast enough - but it depends of course on the computer power available. On a small low-powered handheld device ECDSA verification might be painful in Javascript.
>
More information about the Openid-specs-ab
mailing list