[OpenID] My 2 Cents to the OpenID foundation

John Bradley john.bradley at wingaa.com
Wed Apr 8 05:38:01 UTC 2009


The symmetric encryption is key SHA1 or SHA256 is set per RP/OP  

It would take some real bending of the protocol for the RP to have two  
associations and choose the one to use based on what the OP might send  

It is also unlikely that PCI rules are going to allow any OP to store  
credit cards numbers and make them available via AX.
There is going to have to be something other than AX as it is now for  
authenticating financial transactions.

We also need to remember this signature is only intended to prevent  
tampering and is not used for encryption.
For AX including the attributes in the signed portion of the message  
is optional in any event.

Yes the OP may send back attributes that could be modified by the user  
without the RP knowing.

The AX 1.0 spec allows OP's and RPs to negotiate any sort of signing  
and/or encryption they like for attributes.
However there is no standard for that,  so at the moment the most OPs  
can do is include the AX attributes in the signed part of the response.

We have talked for a while about the need for AX 2.0 to address some  
of the ambiguities and add things like encryption and structured  

I am hopping work on that can get started soon!

John Bradley

On 7-Apr-09, at 7:23 PM, general-request at openid.net wrote:

> Date: Tue, 7 Apr 2009 18:56:52 -0700 (PDT)
> From: santrajan <santrajan at gmail.com>
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> To: general at openid.net
> Message-ID: <22941702.post at talk.nabble.com>
> Content-Type: text/plain; charset=us-ascii
> I think the degree of security required must be proportional to the  
> value of
> the information you are carrying. SHA1 is fine for basic profile  
> data. You
> need SHA256 only for things like credit card no, social security no,  
> bank
> account no etc etc.
> Allen Tom-2 wrote:
>> John Bradley wrote:
>>> Yahoo and I have an ongoing disagreement over the requirement for
>>> openID 2.0 OPs to support HMAC-SHA256,  they believe that HMAC- 
>>> SHA1 is
>>> sufficient. I think that if an RP ask for a SHA256 association they
>>> should support it.  (Allen feel free to defend yourself:)
>> Hi John,
>> I don't think any RP has asked us to support HMAC-SHA256, so we  
>> haven't
>> gotten around to implementing it yet. As far as I can tell, Section  
>> 6.2
>> of the OpenID 2.0 spec does not require OPs to support HMAC-SHA256.
>> Thanks
>> Allen
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090407/8109fe5b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090407/8109fe5b/attachment-0002.bin>

More information about the general mailing list