[OpenID] My 2 Cents to the OpenID foundation

santrajan santrajan at gmail.com
Fri Apr 3 05:14:22 UTC 2009


Aha I stand corrected on this one.
They hit you with SHA512 in stateless mode only. Which I think should be
okay since RP's probably are not using this mode.
So if you want SHA256 you must use session type DH. This is also ok because
their end point is http not https.
I only wish all OP's support transport layer encryption so that we dont get
in to such headaches. Maybe we should look into this for 2.1


Martin Atkins-2 wrote:
> 
> John Bradley wrote:
>> Martin,
>> 
>> Myspace supports HMAC-SHA256 and DH-SHA256 for openID 2.0 in my testing.
>> 
>> If they have a openID 2.0 interop issue please let me know and I will 
>> attempt to capture it in an OSIS interop test.   However I am not seeing 
>> a problem with there associations, or anything else on a quick look.
>> 
> 
> I suspect the problem, then, is that the RPs I tried only support SHA1.
> 
> I know that's certainly true of LiveJournal and TypePad because I know 
> they run on Net::OpenID::Consumer for Perl, which currently has support 
> only for SHA1.
> 
> I'm intending to give Net::OpenID::Consumer and Net::OpenID::Server a 
> thorough review in the near future, since this is the second OpenID 2.0 
> feature I've found to be lacking support.
> 
> (The other being support for nonces; having a test for this in the test 
> suite would be useful, but some RPs may use RP-generated nonces and 
> ignore the server-provided nonce while still being secure, and it'd be 
> annoying to have them fail in that case.)
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 

-- 
View this message in context: http://www.nabble.com/My-2-Cents-to-the-OpenID-foundation-tp22841100p22862097.html
Sent from the OpenID - General mailing list archive at Nabble.com.




More information about the general mailing list