[OpenID] MySpaceID, Activity Streams, Portable Contacts on OpenID.net

Santosh Rajan santrajan at gmail.com
Thu Apr 9 02:44:50 UTC 2009

I am not convinced, my impression of the spec is that it is up to the RP's to
choose and OP's must support both SHA1 and SHA256. So if an RP supports only
SHA1 or stateless mode myspace will not work. Werent they aware of this?
Dont they want to support as many RP's as possible? Or is it that they dont

Allen Tom-2 wrote:
> Santosh Rajan wrote:
>> My understanding of the OpenID 2.0 specification is the following and I
>> dont
>> think MySpace is compliant.
>> 1) The RP should able to negotiate a SHA1 or SHA256 handle. MySpace does
>> not
>> support SHA1.
> My interpretation of Section 6.2 of the OpenID 2.0 spec is that OPs can 
> support either HMAC-SHA1, or HMAC-SHA256, or both.
> FWIW, Yahoo only supports HMAC-SHA1, and does not support HMAC-SHA256.
>> 2) MySpace does not support session type "no encryption", In which case
>> an
>> RP might want to go for stateless mode. They hit you with SHA512 in
>> stateless mode! Where did that come from?
> Section 8.1.1 says that "no-encryption" MUST NOT be used unless 
> transport layer encryption is used. I believe that the MySpace OP 
> doesn't use HTTPS, so they can't use no-encryption for association
> requests.
> I believe that MySpace is fully compliant with the OpenID 2.0 spec. It 
> would be nice if they supported directed identity, so that users can 
> type in "myspace.com", but this behavior is not required by the spec.
> Allen
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

View this message in context: http://www.nabble.com/MySpaceID%2C-Activity-Streams%2C-Portable-Contacts-on-OpenID.net-tp22940897p22963572.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list