[OpenID] My 2 Cents to the OpenID foundation
John Bradley
john.bradley at wingaa.com
Fri Apr 3 06:02:05 UTC 2009
Martin,
A test for properly formatted nonces.
http://osis.idcommons.net/wiki/I5:FeatureTest-Sends_a_properly_formated_response_nonce
I am always open to creating more tests if people can define what they
want tested clearly.
I took a closer look at the myspace provider. It supports only openID
2 it is not advertising a openID 1.1 endpoint in it's XRDS or vis HTML
tags.
If you have a openID 2.0 RP that doesn't support SHA256 that is a
problem.
https://test-id.org/RP/HMACSHA256.aspx
Yahoo and I have an ongoing disagreement over the requirement for
openID 2.0 OPs to support HMAC-SHA256, they believe that HMAC-SHA1 is
sufficient. I think that if an RP ask for a SHA256 association they
should support it. (Allen feel free to defend yourself:)
I think it would be a good idea for myspace to support both but they
are not required to. They may have a valid security reason not to
allow fallback to HMAC-SHA1.
I could buy that argument more easily than forcing an RP to a smaller
hash.
So my take on it for what it is worth, is that openID 2.0 RPs must
support HMAC-SHA256 and HMAC-SHA1 if they want to interoperate with
all OPs.
Any OP or RP has the right to decline using a part of the spec they
don't feel comfortable with eg discovery of meta-data over http. The
consequence of that however is lower interoperability. That is a
business decision.
As far as associations go any RP that falls back to dumb mode can
still perform authentications without an association.
If the Net::OpenID::Consumer for Perl is a openID 2.0 RP then it
should work with myspace.
I don't have any contacts at MySpace so I cant say why they may or may
not accept HMAC-SHA1 associations. That is there business/security
risk decision.
I think that putting pressure on the RPs to fully support openID 2.0
is the better use of resources.
I am certain that David Recordan will be making certain that
LiveJournal and Typepad successfully complete there OSIS testing.
I have all of the OP tests integrated with the OSIS site but I still
have wiki editing to do to add the new RP tests. Though the tests
themselves are live at http://test-id.org now.
Regards
John Bradley
On 2-Apr-09, at 9:42 PM, general-request at openid.net wrote:
> Message: 4
> Date: Thu, 02 Apr 2009 21:41:54 -0700
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> To: general at openid.net
> Message-ID: <49D59392.8050309 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> John Bradley wrote:
>> Martin,
>>
>> Myspace supports HMAC-SHA256 and DH-SHA256 for openID 2.0 in my
>> testing.
>>
>> If they have a openID 2.0 interop issue please let me know and I will
>> attempt to capture it in an OSIS interop test. However I am not
>> seeing
>> a problem with there associations, or anything else on a quick look.
>>
>
> I suspect the problem, then, is that the RPs I tried only support
> SHA1.
>
> I know that's certainly true of LiveJournal and TypePad because I know
> they run on Net::OpenID::Consumer for Perl, which currently has
> support
> only for SHA1.
>
> I'm intending to give Net::OpenID::Consumer and Net::OpenID::Server a
> thorough review in the near future, since this is the second OpenID
> 2.0
> feature I've found to be lacking support.
>
> (The other being support for nonces; having a test for this in the
> test
> suite would be useful, but some RPs may use RP-generated nonces and
> ignore the server-provided nonce while still being secure, and it'd be
> annoying to have them fail in that case.)
>
>
>
> ------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090402/1e3178f0/attachment-0002.bin>
More information about the general
mailing list