[OpenID] My 2 Cents to the OpenID foundation

Allen Tom atom at yahoo-inc.com
Mon Apr 6 22:40:32 UTC 2009

John Bradley wrote:
> Yahoo and I have an ongoing disagreement over the requirement for 
> openID 2.0 OPs to support HMAC-SHA256,  they believe that HMAC-SHA1 is 
> sufficient. I think that if an RP ask for a SHA256 association they 
> should support it.  (Allen feel free to defend yourself:)
Hi John,

I don't think any RP has asked us to support HMAC-SHA256, so we haven't 
gotten around to implementing it yet. As far as I can tell, Section 6.2 
of the OpenID 2.0 spec does not require OPs to support HMAC-SHA256.


More information about the general mailing list