[OpenID] My 2 Cents to the OpenID foundation

[John Bradley]

Martin,

A test for properly formatted nonces.
http://osis.idcommons.net/wiki/I5:FeatureTest-Sends_a_properly_formated_response_nonce

I am always open to creating more tests if people can define what they  
want tested clearly.

I took a closer look at the myspace provider.  It supports only openID  
2 it is not advertising a openID 1.1 endpoint in it's XRDS or vis HTML  
tags.

If you have a openID 2.0 RP that doesn't support SHA256 that is a  
problem.
https://test-id.org/RP/HMACSHA256.aspx

Yahoo and I have an ongoing disagreement over the requirement for  
openID 2.0 OPs to support HMAC-SHA256,  they believe that HMAC-SHA1 is  
sufficient. I think that if an RP ask for a SHA256 association they  
should support it.  (Allen feel free to defend yourself:)

I think it would be a good idea for myspace to support both but they  
are not required to.  They may have a valid security reason not to  
allow fallback to HMAC-SHA1.

I could buy that argument more easily than forcing an RP to a smaller  
hash.

So my take on it for what it is worth, is that openID 2.0 RPs must  
support HMAC-SHA256 and HMAC-SHA1 if they want to interoperate with  
all OPs.

Any OP or RP has the right to decline using a part of the spec they  
don't feel comfortable with eg discovery of meta-data over http.   The  
consequence of that however is lower interoperability.  That is a  
business decision.

As far as associations go any RP that falls back to dumb mode can  
still perform authentications without an association.

If the Net::OpenID::Consumer for Perl is a openID 2.0 RP then it  
should work with myspace.

I don't have any contacts at MySpace so I cant say why they may or may  
not accept HMAC-SHA1 associations.  That is there business/security  
risk decision.

I think that putting pressure on the RPs to fully support openID 2.0  
is the better use of resources.

I am certain that David Recordan will be making certain that  
LiveJournal and Typepad successfully complete there OSIS testing.

I have all of the OP tests integrated with the OSIS site but I still  
have wiki editing to do to add the new RP tests.  Though the tests  
themselves are live at http://test-id.org now.

Regards
John Bradley


On 2-Apr-09, at 9:42 PM, general-request at openid.net wrote:

> Message: 4
> Date: Thu, 02 Apr 2009 21:41:54 -0700
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> To: general at openid.net
> Message-ID: <49D59392.8050309 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> John Bradley wrote:
>> Martin,
>>
>> Myspace supports HMAC-SHA256 and DH-SHA256 for openID 2.0 in my  
>> testing.
>>
>> If they have a openID 2.0 interop issue please let me know and I will
>> attempt to capture it in an OSIS interop test.   However I am not  
>> seeing
>> a problem with there associations, or anything else on a quick look.
>>
>
> I suspect the problem, then, is that the RPs I tried only support  
> SHA1.
>
> I know that's certainly true of LiveJournal and TypePad because I know
> they run on Net::OpenID::Consumer for Perl, which currently has  
> support
> only for SHA1.
>
> I'm intending to give Net::OpenID::Consumer and Net::OpenID::Server a
> thorough review in the near future, since this is the second OpenID  
> 2.0
> feature I've found to be lacking support.
>
> (The other being support for nonces; having a test for this in the  
> test
> suite would be useful, but some RPs may use RP-generated nonces and
> ignore the server-provided nonce while still being secure, and it'd be
> annoying to have them fail in that case.)
>
>
>
> ------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090402/1e3178f0/attachment-0002.bin>