Dick Hardt wrote:
2) Only call the remote site once to generate a shared secret and
then use the secret to verify signatures coming from that site.
This would be akin to openid's associate mode.
I think having a shared secret mode is a good option for improving
performance. Just as in OpenID, having it as an option rather then a
requirement is best as it requires state management and additional
overhead if little interaction between that Homesite and Membersite.
Note that it does not solve DoS since bad server can repeatedly fail
to provide shared secret.
3) Use Phillip's suggestion of SRV records as a discovery mechanism,
instead of looking up the persona-url.
Does not solve DoS as bad server can withhold returning SRV records.
I agree that the above two suggestions do not eliminate the possibility
of DoS. The intent behind the suggestions was that they should make it
easier to detect/protect against a DoS. The thinking being that fewer
calls need to be made during normal operation to remote sites. The
membersite only needs to establish a shared secret or lookup a homesites
SRV record once. If it finds that many requests are waiting for shared
secrets or SRV record responses it can abort further requests for these
items until the backlog has cleared. It can, however, still continue
normal operations to homesites with which it already shares a secret and
whose SRV record has been cached.
Given that we have not got a WG started yet, I'm wondering if we are
getting ahead of ourselves though?
Point taken, apologies,
Rob
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
