[OpenID] My 2 Cents to the OpenID foundation
john.bradley at wingaa.com
Fri Apr 3 06:02:05 UTC 2009
A test for properly formatted nonces.
I am always open to creating more tests if people can define what they
want tested clearly.
I took a closer look at the myspace provider. It supports only openID
2 it is not advertising a openID 1.1 endpoint in it's XRDS or vis HTML
If you have a openID 2.0 RP that doesn't support SHA256 that is a
Yahoo and I have an ongoing disagreement over the requirement for
openID 2.0 OPs to support HMAC-SHA256, they believe that HMAC-SHA1 is
sufficient. I think that if an RP ask for a SHA256 association they
should support it. (Allen feel free to defend yourself:)
I think it would be a good idea for myspace to support both but they
are not required to. They may have a valid security reason not to
allow fallback to HMAC-SHA1.
I could buy that argument more easily than forcing an RP to a smaller
So my take on it for what it is worth, is that openID 2.0 RPs must
support HMAC-SHA256 and HMAC-SHA1 if they want to interoperate with
Any OP or RP has the right to decline using a part of the spec they
don't feel comfortable with eg discovery of meta-data over http. The
consequence of that however is lower interoperability. That is a
As far as associations go any RP that falls back to dumb mode can
still perform authentications without an association.
If the Net::OpenID::Consumer for Perl is a openID 2.0 RP then it
should work with myspace.
I don't have any contacts at MySpace so I cant say why they may or may
not accept HMAC-SHA1 associations. That is there business/security
I think that putting pressure on the RPs to fully support openID 2.0
is the better use of resources.
I am certain that David Recordan will be making certain that
LiveJournal and Typepad successfully complete there OSIS testing.
I have all of the OP tests integrated with the OSIS site but I still
have wiki editing to do to add the new RP tests. Though the tests
themselves are live at http://test-id.org now.
On 2-Apr-09, at 9:42 PM, general-request at openid.net wrote:
> Message: 4
> Date: Thu, 02 Apr 2009 21:41:54 -0700
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> To: general at openid.net
> Message-ID: <49D59392.8050309 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> John Bradley wrote:
>> Myspace supports HMAC-SHA256 and DH-SHA256 for openID 2.0 in my
>> If they have a openID 2.0 interop issue please let me know and I will
>> attempt to capture it in an OSIS interop test. However I am not
>> a problem with there associations, or anything else on a quick look.
> I suspect the problem, then, is that the RPs I tried only support
> I know that's certainly true of LiveJournal and TypePad because I know
> they run on Net::OpenID::Consumer for Perl, which currently has
> only for SHA1.
> I'm intending to give Net::OpenID::Consumer and Net::OpenID::Server a
> thorough review in the near future, since this is the second OpenID
> feature I've found to be lacking support.
> (The other being support for nonces; having a test for this in the
> suite would be useful, but some RPs may use RP-generated nonces and
> ignore the server-provided nonce while still being secure, and it'd be
> annoying to have them fail in that case.)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2486 bytes
Desc: not available
More information about the general