[OpenID] general Digest, Vol 32, Issue 55

Santosh Rajan santrajan at gmail.com
Thu Apr 9 04:35:34 UTC 2009 

Ok John I think you have convinced me on this. 

John Bradley-7 wrote:
> 
> Santosh,
> 
> I think that is unfair.
> 
> MySpace are openID 2.0 compliant.
> 
> There is an unfortunate interop hole in the 2.0 spec that states:
> 6.2.  Signature Algorithms
> OpenID Authentication supports two signature algorithms:
> 
> 	• HMAC-SHA1 - 160 bit key length ([RFC2104] and [RFC3174])
> 	• HMAC-SHA256 - 256 bit key length ([RFC2104] and [FIPS180‑2]
> If supported, the use of HMAC-SHA256 is RECOMMENDED.
> 
> This allows OPs and RPs to support only one of the two options with  
> HMAC-SHA256 being RECOMMENDED.
> 
> If a OP and RP each only implement one and they are different they  
> cant associate.
> Clearly one should be REQUIRED as opposed to only RECOMMENDED.
> 
> Yahoo and I have debated this a number of times. When it comes down to  
> it if you implement one of the two you meet the spec requirement.
> 
> It is worth noting that in your case the RP not implementing the  
> RECOMMENDED option should bare an even grater share of the blame for  
> the interop failure. But I am going to give this a 50/50 spit for the  
> sake of argument.
> 
> DH associations are a part of the 2.0 spec Myspace have implemented it  
> your RP has not...  I have to put 100% of the fault on your RP for that.
> 
> Remember the openID 2.0 spec is specifically written so that it can be  
> implemented without any SSL.  That is the spec like it or not.
> 
> As you say your RP should proceed with stateless mode according to the  
> spec.
> 
> In stateless mode the RP is not validating the signature it is passing  
> it back to the OP for direct validation.  The signature algorithm in  
> that case is entirely up to the OP.  If your RP is not able to use  
> stateless mode with any arbitrary signature method then there is a bug  
> in the RP.  Again 100% of the problem is with the RP.
> 
> We are working on getting MySpace engaged with OSIS testing.  They are  
> still a new OP but they have made a good start.
> 
> If we got rid of every OP that has not implemented the complete spec  
> in and all the extensions in a way I consider to be 100% spec  
> compliant, there would be no OPs.
> 
> We need to encourage people to improve there services through positive  
> reenforcement rather than call people names.
> (I only yell at people in private.)
> 
> If you are writing a openID RP library or some such we would welcome  
> you to participate in OSIS and perhaps we can work through some of  
> your issues.
> 
> Regards
> John Bradley
> 
> 
> 
> On 8-Apr-09, at 8:35 PM, general-request at openid.net wrote:
> 
>> Date: Wed, 8 Apr 2009 18:33:51 -0700 (PDT)
>> From: Santosh Rajan <santrajan at gmail.com>
>> Subject: Re: [OpenID] MySpaceID, Activity Streams, Portable Contacts
>> 	on OpenID.net
>> To: general at openid.net
>> Message-ID: <22962989.post at talk.nabble.com>
>> Content-Type: text/plain; charset=us-ascii
>>
>>
>> My understanding of the OpenID 2.0 specification is the following  
>> and I dont
>> think MySpace is compliant.
>> 1) The RP should able to negotiate a SHA1 or SHA256 handle. MySpace  
>> does not
>> support SHA1.
>> 2) MySpace does not support session type "no encryption", In which  
>> case an
>> RP might want to go for stateless mode. They hit you with SHA512 in
>> stateless mode! Where did that come from?
>>
>> It is very clear to me that they had no intention of supporting  
>> OpenID and
>> they have only "thrown the spanner into the work".
>>
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 

-- 
View this message in context: http://www.nabble.com/Re%3A-general-Digest%2C-Vol-32%2C-Issue-55-tp22964149p22964315.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list