[OpenID] My 2 Cents to the OpenID foundation

santrajan santrajan at gmail.com
Fri Apr 3 07:25:19 UTC 2009


How do we get around this considering the following points?
1) An OP's motivation will be to get to the widest possible audience and
hence tend to adopt SHA1 now that we know RP's need to upgrade to support
SHA256.
2) On the other hand myspace has chosen to go the route of higher security
SHA256, which begs the question why didnt they go for SSL if they were so
concerned about a higher level. Because i suspect RP's may also be breaking
at myspace because they cannot support session_type "no_encription".
3) There will be a number of combinations of SSL, SHA, DH, out of which OP's
may chose any one of them, which will lead RP's to have to upgrade any time
a major OP decides to chose a way "beyond the usual". the myspace problem
being on of them.
4) By definition the no of OP's will be much less than the no of RP's. Hence
wouldnt it be easier to solve the problem on the OP's side rather than the
RP's side?


John Bradley-7 wrote:
> 
> The message signature and transport encryption protect against  
> different attacks.
> 
> The concern is that given enough time and resources an attacker could  
> recover a session-key given the well documented weaknesses in SHA1.
> Even with the known weakness this would be incredibly difficult if the  
> keys are rotated regularly.  SSL can't protect against this.
> 
> Without SSL protecting the discovery step I would opt for the much  
> easier DNS poisoning attack against a RP to hijack the session key.
> 
> On the other hand given the vetting practices of some CAs it is not  
> impossible to imagine that a cert could not be acquired for almost any  
> domain.
> 
> So SSL is better than no ssl,  SHA256 is better than SHA1,  Checking  
> the returned assertion against the discovered information is better  
> than not.
> 
> Defense in depth is better than no defense.  Nothing is perfect but  
> you need to consider the security and cost of the whole system vs the  
> value of what you are protecting.
> 
> Regards
> John Bradley
> 
> 

-- 
View this message in context: http://www.nabble.com/My-2-Cents-to-the-OpenID-foundation-tp22841100p22863333.html
Sent from the OpenID - General mailing list archive at Nabble.com.




More information about the general mailing list