[OpenID] My 2 Cents to the OpenID foundation

santrajan santrajan at gmail.com
Wed Apr 8 01:56:52 UTC 2009

I think the degree of security required must be proportional to the value of
the information you are carrying. SHA1 is fine for basic profile data. You
need SHA256 only for things like credit card no, social security no, bank
account no etc etc.

Allen Tom-2 wrote:
> John Bradley wrote:
>> Yahoo and I have an ongoing disagreement over the requirement for 
>> openID 2.0 OPs to support HMAC-SHA256,  they believe that HMAC-SHA1 is 
>> sufficient. I think that if an RP ask for a SHA256 association they 
>> should support it.  (Allen feel free to defend yourself:)
> Hi John,
> I don't think any RP has asked us to support HMAC-SHA256, so we haven't 
> gotten around to implementing it yet. As far as I can tell, Section 6.2 
> of the OpenID 2.0 spec does not require OPs to support HMAC-SHA256.
> Thanks
> Allen
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

View this message in context: http://www.nabble.com/My-2-Cents-to-the-OpenID-foundation-tp22841100p22941702.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list