[OpenID] My 2 Cents to the OpenID foundation

John Bradley john.bradley at wingaa.com
Fri Apr 3 06:20:17 UTC 2009

Hi Peter,

I just looked into it a bit more for Martin.

I suspect the root of the issue is that MySpace like Yahoo is not  
supporting openID 1.1.

As a result of that they may not be supporting SHA1.

If an RP cant negotiate an association they should fall back to dumb  
mode and continue on.

If there is a issue with TypePad and LiveJournal then the issue may be  
on there side.

It should certainly be explored if those RPs are having issues with  
MySpace IDs.

I will chalk this up to normal interop issues rather than some larger  
policy until I see evidence to the contrary.

The OSIS tests are public  including the source code on the new ones  
feel free to run them against any OP or RP you like.

John Bradley
On 2-Apr-09, at 9:25 PM, Peter Williams wrote:

> Share this on the general  list, if you feel it’s fair.
> That’s fair enough. Let’s find out what the mix of non-normative  
> extensions plus the praxis of policy management is, before we make  
> *any* conclusions (or anyone infers any imputations).
> This is all a bit like Google’s announcement moment, where they had  
> policy controls initially (for testing purposes) – before they  
> learned the community really did want  them to operate as an open  
> system (which they did and do, as far as I know)
> The openness test for a system (in a UCI movement, particularly) is
> Find an  RP (e.g. some blog site handling authenticated comments).
> Find an OP (e.g. MySpace)
> Then See if - WITHOUT bilateral agreement – the OP subscriber ( i.e.  
> myspace user) can freely wander to that RP, without the prior  
> knowledge of a OP/Myspace administrator.
> Though the RP may CERTAINLY reject an assertion on the grounds that  
> the OP has insufficient trustworthiness (in the RP’s eyes), it’s  
> hardly “openid” that an OP may limit the blog sites where a given  
> op’s  user may deposit his/her authenticated comment!?
> If such a  blog site accepting the openid assertion wants to use  
> only a standard ciphersuite, we can easily test whether it can do so.
> If that all happens, and no bilateral contact is required to make it  
> happen, then there is nothing to whine about. One should celebrate  
> those parties.
> Now, I don’t mind folks inducing particular networks of partners to  
> set and use a higher standard than the norm. But, there must be no  
> technical or policy or setup barrier to using the standard, just as  
> it is.
> I’m more than happy with the wider position you advocate on  
> ciphersuites, John. Now folks with the expertise in ciphers and  
> ciphersuite design  can and should go out and design their own  
> ciphersuites, and quite properly use them in this community –  
> without being labeled “unopenid”.
> It’s fascinating to see just how rapidly things are maturing. In the  
> last few weeks, we have seen that  its quite proper to exchange  
> cleartext master  session keys that are protected by “non standard”  
> means (e.g. a privately-defined SSL ciphersuite), and now it’s quite  
> proper to go design and use your own ciphersuite within openid auth  
> v2 when providing data origin authentication service for the  
> assertion (and any extensions).
> I find this all very “OSI”! Feel free to use bilateral agreement  
> where you see fit, but always fallback to the open standards and  
> protocols where no bilateral agreement governs. So long as bilateral  
> agreements are not mandatory for interworking in public networks (an  
> OSI rule), this is all likely to be a very successful community  
> formula. Nothing hampers innovation and communities of interest, but  
> some reasonable minimum works …with no prior setup.
> From: John Bradley [mailto:john.bradley at wingaa.com]
> Sent: Thursday, April 02, 2009 8:52 PM
> To: Peter Williams
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> openID has no conformance requirement, unlike other protocols we are  
> familiar with.
> We do have interop testing for openID through OSIS.
> http://osis.idcommons.net/
> I have sent a message to one of the developers at myspace asking if  
> they would like to participate in the OSIS testing as an OP.
> They may or may not chose to submit themselves to a public interop.   
> However anyone can run the OSIS tests against them.
> In a quick look at there OP (sadly I did have a myspace account but  
> couldn't remember my password) I did not see any evidence of non- 
> standard ciphersuites being required.
> If they do support HMAC-512 and someone negotiates a session using  
> that the spec doesn't preclude that, as long as they support and  
> negotiate the standard set.
> Honestly we have more problems with people not supporting HMAC- 
> SHA256 or DH than with people supporting extra stuff.
> If someone can point to a concrete issue with myspace I will look  
> into it,  but at this point people should refrain from making  
> unsubstantiated claims about an OP who appears to be doing nothing  
> wrong.
> The best answer is public interop testing then everyone in the  
> community knows where OPs and RPs stand with respect to there  
> conformance to the spec.
> Regards
> John Bradley
> On 2-Apr-09, at 8:31 PM, Peter Williams wrote:
> So what is the  community position on OPs who implement non standard  
> features (e.g. ciphersuites) and require RPs to use them when  
> interworking with that OP?
> All parties in openid are peers and anyone of them would, could, and  
> should set politics that will impacts its peers. But my assumption  
> was that the peers would mandate features within the standard  
> interworking set.
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]  
> On
> Behalf Of John Bradley
> Sent: Thursday, April 02, 2009 8:09 PM
> To: general at openid.net
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> Martin,
> Myspace supports HMAC-SHA256 and DH-SHA256 for openID 2.0 in my
> testing.
> If they have a openID 2.0 interop issue please let me know and I will
> attempt to capture it in an OSIS interop test.   However I am not
> seeing a problem with there associations, or anything else on a quick
> look.
> Regards
> John Bradley
> Prepared outgoing AssociateDiffieHellmanRequest (2.0) message for
> http://api.myspace.com/openid
> :
>        openid.dh_modulus:
> ANz5OguIOXLsDhmYmsWizjEOHTdxfo2Vcbt2I3MYZuYe91ouJ4mLBX
> +YkcLiemOcPym2CBRYHNOyyjmG0mg3BVd9RcLn5S3IHHoXGHblzqdLFEi/
> 368Ygo79JRnxTkXjgmY0rxlJ5bU1zIKaSDuKdiI+XUkKJX8Fvf8W8vsixYOr
>        openid.dh_gen: Ag==
>        openid.dh_consumer_public:
> TNFXwmU9QTifKkmklQzq/ubOjdCjL5sHvm0SBy
> +EbzM1ACH6leuq/MU8EGLNFHIRGW+pgzD8QNOrdymx7bYfUNoCgvhZUmzgZx
> +Cxf3n9ZMepUEFVvwFFkj0Irv63JBYzy9TrGhMJoXHp09NEdMJ5RO0oPSJPLZZySq/
> FWNF5Qg=
>        openid.assoc_type: HMAC-SHA256
>        openid.session_type: DH-SHA256
>        openid.mode: associate
>        openid.ns: http://specs.openid.net/auth/2.0
> Processing incoming AssociateDiffieHellmanResponse (2.0) message:
>        dh_server_public: AKFvVHZ4LpjD+EkqDiJps36/
> gWUI5N4WYBLg23TM0vIBdsaWgrq4s5BMmBO5Z7C+PygwSOmuzQNsn
> +
> fGd68a2sUuxQj9iIOls1ofnlCsXIzGQr8gt4aW0ZDjZs8hcypA9d3xetINIsTxQYi6GC8wJ
> 0fvVzu5so0TtlaITqCKQ6pI
>        enc_mac_key: hSkCJoXCmmQnnUTe0T2yGGerEmv/LbJ54dEymarLj4A=
>        assoc_handle: {{HMAC-SHA256}{1238725530.30107}{XCfj0g==}
>        assoc_type: HMAC-SHA256
>        session_type: DH-SHA256
>        expires_in: 1209599
>        ns: http://specs.openid.net/auth/2.0
> On 2-Apr-09, at 4:23 PM, general-request at openid.net wrote:
> Date: Thu, 02 Apr 2009 12:08:56 -0700
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> To: general at openid.net
> Message-ID: <49D50D48.8030709 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> santrajan wrote:
> myspace signatures are SHA512 not in Openid specs. The dont support
> SHA1 and
> SHA256.
> Ahh. This explains the interop problems with various sites I tried.
> I guess they're getting this support from DotNetOpenId, which
> supports
> additional signature schemes HMAC-SHA384, HMAC-SHA512, DH-SHA384 and
> DH-SHA512.
> It'd be good if MySpace could at least also enable SHA256 for interop
> with compliant OpenID 2.0 implementations. (Though I'm aware of at
> least a few implementations that currently only support SHA-1, but
> that's certainly a problem since SHA-1 has been broken.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090402/bf0f0f92/attachment-0002.htm>

More information about the general mailing list