[OpenID] general Digest, Vol 32, Issue 55

John Bradley john.bradley at wingaa.com
Thu Apr 9 04:12:08 UTC 2009


Santosh,

I think that is unfair.

MySpace are openID 2.0 compliant.

There is an unfortunate interop hole in the 2.0 spec that states:
6.2.  Signature Algorithms
OpenID Authentication supports two signature algorithms:

	• HMAC-SHA1 - 160 bit key length ([RFC2104] and [RFC3174])
	• HMAC-SHA256 - 256 bit key length ([RFC2104] and [FIPS180‑2]
If supported, the use of HMAC-SHA256 is RECOMMENDED.

This allows OPs and RPs to support only one of the two options with  
HMAC-SHA256 being RECOMMENDED.

If a OP and RP each only implement one and they are different they  
cant associate.
Clearly one should be REQUIRED as opposed to only RECOMMENDED.

Yahoo and I have debated this a number of times. When it comes down to  
it if you implement one of the two you meet the spec requirement.

It is worth noting that in your case the RP not implementing the  
RECOMMENDED option should bare an even grater share of the blame for  
the interop failure. But I am going to give this a 50/50 spit for the  
sake of argument.

DH associations are a part of the 2.0 spec Myspace have implemented it  
your RP has not...  I have to put 100% of the fault on your RP for that.

Remember the openID 2.0 spec is specifically written so that it can be  
implemented without any SSL.  That is the spec like it or not.

As you say your RP should proceed with stateless mode according to the  
spec.

In stateless mode the RP is not validating the signature it is passing  
it back to the OP for direct validation.  The signature algorithm in  
that case is entirely up to the OP.  If your RP is not able to use  
stateless mode with any arbitrary signature method then there is a bug  
in the RP.  Again 100% of the problem is with the RP.

We are working on getting MySpace engaged with OSIS testing.  They are  
still a new OP but they have made a good start.

If we got rid of every OP that has not implemented the complete spec  
in and all the extensions in a way I consider to be 100% spec  
compliant, there would be no OPs.

We need to encourage people to improve there services through positive  
reenforcement rather than call people names.
(I only yell at people in private.)

If you are writing a openID RP library or some such we would welcome  
you to participate in OSIS and perhaps we can work through some of  
your issues.

Regards
John Bradley



On 8-Apr-09, at 8:35 PM, general-request at openid.net wrote:

> Date: Wed, 8 Apr 2009 18:33:51 -0700 (PDT)
> From: Santosh Rajan <santrajan at gmail.com>
> Subject: Re: [OpenID] MySpaceID, Activity Streams, Portable Contacts
> 	on OpenID.net
> To: general at openid.net
> Message-ID: <22962989.post at talk.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> My understanding of the OpenID 2.0 specification is the following  
> and I dont
> think MySpace is compliant.
> 1) The RP should able to negotiate a SHA1 or SHA256 handle. MySpace  
> does not
> support SHA1.
> 2) MySpace does not support session type "no encryption", In which  
> case an
> RP might want to go for stateless mode. They hit you with SHA512 in
> stateless mode! Where did that come from?
>
> It is very clear to me that they had no intention of supporting  
> OpenID and
> they have only "thrown the spanner into the work".
>




More information about the general mailing list