- From: Brian Smith <bsmith@mozilla.com>
- Date: Sun, 17 Jul 2011 22:08:04 -0700 (PDT)
- To: Henry Story <henry.story@bblfish.net>
- Cc: WebID XG <public-xg-webid@w3.org>, Ben Adida <ben@adida.net>, dev-identity@lists.mozilla.org
Henry Story wrote: > You seem to have made short lasting keys a necessary part of your > protocol. > Why is that? I am pointing out one can enable longer lasting ones too. Long-lasting keys require a revocation mechanism. But, the revocation mechanism would likely leak information from the relying party to the identity provider about which identity is being verified. By making keys short-lived, we can avoid the need for a revocation mechanism, and thus avoids this leakage. It does mean contacting that the browser will contact the identity provider more frequently, but I do not think that is a big deal. Regards, Brian
Received on Monday, 18 July 2011 05:08:32 UTC