[OpenID] MySpaceID, Activity Streams, Portable Contacts on OpenID.net

Allen Tom atom at yahoo-inc.com
Thu Apr 9 02:34:20 UTC 2009

Santosh Rajan wrote:
> My understanding of the OpenID 2.0 specification is the following and I dont
> think MySpace is compliant.
> 1) The RP should able to negotiate a SHA1 or SHA256 handle. MySpace does not
> support SHA1.
My interpretation of Section 6.2 of the OpenID 2.0 spec is that OPs can 
support either HMAC-SHA1, or HMAC-SHA256, or both.

FWIW, Yahoo only supports HMAC-SHA1, and does not support HMAC-SHA256.

> 2) MySpace does not support session type "no encryption", In which case an
> RP might want to go for stateless mode. They hit you with SHA512 in
> stateless mode! Where did that come from?
Section 8.1.1 says that "no-encryption" MUST NOT be used unless 
transport layer encryption is used. I believe that the MySpace OP 
doesn't use HTTPS, so they can't use no-encryption for association requests.

I believe that MySpace is fully compliant with the OpenID 2.0 spec. It 
would be nice if they supported directed identity, so that users can 
type in "myspace.com", but this behavior is not required by the spec.


More information about the general mailing list