[OpenID] My 2 Cents to the OpenID foundation

Santosh Rajan santrajan at gmail.com
Wed Apr 8 05:49:11 UTC 2009


Thanks John. Now its clearer. I was only wondering that maybe we should stick
to SHA1 only in that case to verify signature since we are only transporting
basic profile information. So that it does not cause incompatilities like
the myspace case.

John Bradley-7 wrote:
> 
> Santrajan,
> 
> The symmetric encryption is key SHA1 or SHA256 is set per RP/OP  
> association.
> 
> It would take some real bending of the protocol for the RP to have two  
> associations and choose the one to use based on what the OP might send  
> back.
> 
> It is also unlikely that PCI rules are going to allow any OP to store  
> credit cards numbers and make them available via AX.
> There is going to have to be something other than AX as it is now for  
> authenticating financial transactions.
> 
> We also need to remember this signature is only intended to prevent  
> tampering and is not used for encryption.
> For AX including the attributes in the signed portion of the message  
> is optional in any event.
> 
> Yes the OP may send back attributes that could be modified by the user  
> without the RP knowing.
> 
> The AX 1.0 spec allows OP's and RPs to negotiate any sort of signing  
> and/or encryption they like for attributes.
> However there is no standard for that,  so at the moment the most OPs  
> can do is include the AX attributes in the signed part of the response.
> 
> We have talked for a while about the need for AX 2.0 to address some  
> of the ambiguities and add things like encryption and structured  
> attributes.
> 
> I am hopping work on that can get started soon!
> 
> John Bradley
> 
> On 7-Apr-09, at 7:23 PM, general-request at openid.net wrote:
> 
>> Date: Tue, 7 Apr 2009 18:56:52 -0700 (PDT)
>> From: santrajan <santrajan at gmail.com>
>> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
>> To: general at openid.net
>> Message-ID: <22941702.post at talk.nabble.com>
>> Content-Type: text/plain; charset=us-ascii
>>
>>
>> I think the degree of security required must be proportional to the  
>> value of
>> the information you are carrying. SHA1 is fine for basic profile  
>> data. You
>> need SHA256 only for things like credit card no, social security no,  
>> bank
>> account no etc etc.
>>
>>
>> Allen Tom-2 wrote:
>>>
>>> John Bradley wrote:
>>>>
>>>> Yahoo and I have an ongoing disagreement over the requirement for
>>>> openID 2.0 OPs to support HMAC-SHA256,  they believe that HMAC- 
>>>> SHA1 is
>>>> sufficient. I think that if an RP ask for a SHA256 association they
>>>> should support it.  (Allen feel free to defend yourself:)
>>> Hi John,
>>>
>>> I don't think any RP has asked us to support HMAC-SHA256, so we  
>>> haven't
>>> gotten around to implementing it yet. As far as I can tell, Section  
>>> 6.2
>>> of the OpenID 2.0 spec does not require OPs to support HMAC-SHA256.
>>>
>>> Thanks
>>> Allen
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>
> 
> 
>  
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 

-- 
View this message in context: http://www.nabble.com/My-2-Cents-to-the-OpenID-foundation-tp22841100p22943636.html
Sent from the OpenID - General mailing list archive at Nabble.com.




More information about the general mailing list