[OpenID] My 2 Cents to the OpenID foundation

Martin Atkins mart at degeneration.co.uk
Fri Apr 3 04:41:54 UTC 2009

John Bradley wrote:
> Martin,
> Myspace supports HMAC-SHA256 and DH-SHA256 for openID 2.0 in my testing.
> If they have a openID 2.0 interop issue please let me know and I will 
> attempt to capture it in an OSIS interop test.   However I am not seeing 
> a problem with there associations, or anything else on a quick look.

I suspect the problem, then, is that the RPs I tried only support SHA1.

I know that's certainly true of LiveJournal and TypePad because I know 
they run on Net::OpenID::Consumer for Perl, which currently has support 
only for SHA1.

I'm intending to give Net::OpenID::Consumer and Net::OpenID::Server a 
thorough review in the near future, since this is the second OpenID 2.0 
feature I've found to be lacking support.

(The other being support for nonces; having a test for this in the test 
suite would be useful, but some RPs may use RP-generated nonces and 
ignore the server-provided nonce while still being secure, and it'd be 
annoying to have them fail in that case.)

More information about the general mailing list