[OpenID] My 2 Cents to the OpenID foundation

santrajan santrajan at gmail.com
Fri Apr 3 06:10:19 UTC 2009

I am surprised that a large OP like myspace has chosen not to use transport
layer security at their endpoint. SHA1 would have a been a lesser risk if
they had chosen to do so.

John Bradley-7 wrote:
> Yahoo and I have an ongoing disagreement over the requirement for  
> openID 2.0 OPs to support HMAC-SHA256,  they believe that HMAC-SHA1 is  
> sufficient. I think that if an RP ask for a SHA256 association they  
> should support it.  (Allen feel free to defend yourself:)
> I think it would be a good idea for myspace to support both but they  
> are not required to.  They may have a valid security reason not to  
> allow fallback to HMAC-SHA1.
> I could buy that argument more easily than forcing an RP to a smaller  
> hash.
> So my take on it for what it is worth, is that openID 2.0 RPs must  
> support HMAC-SHA256 and HMAC-SHA1 if they want to interoperate with  
> all OPs.

View this message in context: http://www.nabble.com/My-2-Cents-to-the-OpenID-foundation-tp22841100p22862548.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list