[OpenID] My 2 Cents to the OpenID foundation
santrajan at gmail.com
Fri Apr 3 06:10:19 UTC 2009
I am surprised that a large OP like myspace has chosen not to use transport
layer security at their endpoint. SHA1 would have a been a lesser risk if
they had chosen to do so.
John Bradley-7 wrote:
> Yahoo and I have an ongoing disagreement over the requirement for
> openID 2.0 OPs to support HMAC-SHA256, they believe that HMAC-SHA1 is
> sufficient. I think that if an RP ask for a SHA256 association they
> should support it. (Allen feel free to defend yourself:)
> I think it would be a good idea for myspace to support both but they
> are not required to. They may have a valid security reason not to
> allow fallback to HMAC-SHA1.
> I could buy that argument more easily than forcing an RP to a smaller
> So my take on it for what it is worth, is that openID 2.0 RPs must
> support HMAC-SHA256 and HMAC-SHA1 if they want to interoperate with
> all OPs.
View this message in context: http://www.nabble.com/My-2-Cents-to-the-OpenID-foundation-tp22841100p22862548.html
Sent from the OpenID - General mailing list archive at Nabble.com.
More information about the general