[OpenID] My 2 Cents to the OpenID foundation

John Bradley john.bradley at wingaa.com
Fri Apr 3 07:01:31 UTC 2009


The message signature and transport encryption protect against  
different attacks.

The concern is that given enough time and resources an attacker could  
recover a session-key given the well documented weaknesses in SHA1.
Even with the known weakness this would be incredibly difficult if the  
keys are rotated regularly.  SSL can't protect against this.

Without SSL protecting the discovery step I would opt for the much  
easier DNS poisoning attack against a RP to hijack the session key.

On the other hand given the vetting practices of some CAs it is not  
impossible to imagine that a cert could not be acquired for almost any  
domain.

So SSL is better than no ssl,  SHA256 is better than SHA1,  Checking  
the returned assertion against the discovered information is better  
than not.

Defense in depth is better than no defense.  Nothing is perfect but  
you need to consider the security and cost of the whole system vs the  
value of what you are protecting.

Regards
John Bradley

On 2-Apr-09, at 11:20 PM, general-request at openid.net wrote:

> Message: 6
> Date: Thu, 2 Apr 2009 23:10:19 -0700 (PDT)
> From: santrajan <santrajan at gmail.com>
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> To: general at openid.net
> Message-ID: <22862548.post at talk.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> I am surprised that a large OP like myspace has chosen not to use  
> transport
> layer security at their endpoint. SHA1 would have a been a lesser  
> risk if
> they had chosen to do so.
>
>
> John Bradley-7 wrote:
>>
>>
>> Yahoo and I have an ongoing disagreement over the requirement for
>> openID 2.0 OPs to support HMAC-SHA256,  they believe that HMAC-SHA1  
>> is
>> sufficient. I think that if an RP ask for a SHA256 association they
>> should support it.  (Allen feel free to defend yourself:)
>>
>> I think it would be a good idea for myspace to support both but they
>> are not required to.  They may have a valid security reason not to
>> allow fallback to HMAC-SHA1.
>>
>> I could buy that argument more easily than forcing an RP to a smaller
>> hash.
>>
>> So my take on it for what it is worth, is that openID 2.0 RPs must
>> support HMAC-SHA256 and HMAC-SHA1 if they want to interoperate with
>> all OPs.
>>
>>
>
> -- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090403/79873a69/attachment-0002.htm>


More information about the general mailing list