- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Wed, 19 Mar 2014 21:42:31 -0400
- To: public-webpayments@w3.org
On 03/19/2014 07:47 PM, Melvin Carvalho wrote:
> Thanks for the minutes and blog post, I'm trying to understand the
> telehash dependency better.
The purpose of Telehash is to map an email address to one or more
identity service URLs (which bootstrapts the identity credentials
exchange process). For example:
melvin@example.com -> https://idp.securemelvin.com/identities/
https://idp.opengames.org/i/
and so on...
Since you're querying a DHT for the mapping, you need to protect the
information so attackers can't map evil IdPs to melvin@example.com. The
best way to do this is to use a passphrase or perhaps a
passphrase-derived private key.
> Is the use case that a user types in an email address into a form,
> and you wish to get an HTTP URL from that?
More or less, yes, but in a way that allows any IdP to claim their email
address as long as a proper user-supplied passphrase is provided.
> Something wasnt 100% clear for me from the blog, might the user also
> need a 15 character password.
They need a passphrase because that passphrase is the only thing sitting
between them and a DDoS on their email address to IdP URL mapping.
You can think of Telehash as a decentralized-with-mirroring-of-data
replacement for WebFinger.
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Worlds First Web Payments Workshop
http://www.w3.org/2013/10/payments/
Received on Thursday, 20 March 2014 01:43:01 UTC