[OpenID] general Digest, Vol 32, Issue 55
Santosh Rajan
santrajan at gmail.com
Thu Apr 9 04:35:34 UTC 2009
Ok John I think you have convinced me on this.
John Bradley-7 wrote:
>
> Santosh,
>
> I think that is unfair.
>
> MySpace are openID 2.0 compliant.
>
> There is an unfortunate interop hole in the 2.0 spec that states:
> 6.2. Signature Algorithms
> OpenID Authentication supports two signature algorithms:
>
> • HMAC-SHA1 - 160 bit key length ([RFC2104] and [RFC3174])
> • HMAC-SHA256 - 256 bit key length ([RFC2104] and [FIPS180‑2]
> If supported, the use of HMAC-SHA256 is RECOMMENDED.
>
> This allows OPs and RPs to support only one of the two options with
> HMAC-SHA256 being RECOMMENDED.
>
> If a OP and RP each only implement one and they are different they
> cant associate.
> Clearly one should be REQUIRED as opposed to only RECOMMENDED.
>
> Yahoo and I have debated this a number of times. When it comes down to
> it if you implement one of the two you meet the spec requirement.
>
> It is worth noting that in your case the RP not implementing the
> RECOMMENDED option should bare an even grater share of the blame for
> the interop failure. But I am going to give this a 50/50 spit for the
> sake of argument.
>
> DH associations are a part of the 2.0 spec Myspace have implemented it
> your RP has not... I have to put 100% of the fault on your RP for that.
>
> Remember the openID 2.0 spec is specifically written so that it can be
> implemented without any SSL. That is the spec like it or not.
>
> As you say your RP should proceed with stateless mode according to the
> spec.
>
> In stateless mode the RP is not validating the signature it is passing
> it back to the OP for direct validation. The signature algorithm in
> that case is entirely up to the OP. If your RP is not able to use
> stateless mode with any arbitrary signature method then there is a bug
> in the RP. Again 100% of the problem is with the RP.
>
> We are working on getting MySpace engaged with OSIS testing. They are
> still a new OP but they have made a good start.
>
> If we got rid of every OP that has not implemented the complete spec
> in and all the extensions in a way I consider to be 100% spec
> compliant, there would be no OPs.
>
> We need to encourage people to improve there services through positive
> reenforcement rather than call people names.
> (I only yell at people in private.)
>
> If you are writing a openID RP library or some such we would welcome
> you to participate in OSIS and perhaps we can work through some of
> your issues.
>
> Regards
> John Bradley
>
>
>
> On 8-Apr-09, at 8:35 PM, general-request at openid.net wrote:
>
>> Date: Wed, 8 Apr 2009 18:33:51 -0700 (PDT)
>> From: Santosh Rajan <santrajan at gmail.com>
>> Subject: Re: [OpenID] MySpaceID, Activity Streams, Portable Contacts
>> on OpenID.net
>> To: general at openid.net
>> Message-ID: <22962989.post at talk.nabble.com>
>> Content-Type: text/plain; charset=us-ascii
>>
>>
>> My understanding of the OpenID 2.0 specification is the following
>> and I dont
>> think MySpace is compliant.
>> 1) The RP should able to negotiate a SHA1 or SHA256 handle. MySpace
>> does not
>> support SHA1.
>> 2) MySpace does not support session type "no encryption", In which
>> case an
>> RP might want to go for stateless mode. They hit you with SHA512 in
>> stateless mode! Where did that come from?
>>
>> It is very clear to me that they had no intention of supporting
>> OpenID and
>> they have only "thrown the spanner into the work".
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
--
View this message in context: http://www.nabble.com/Re%3A-general-Digest%2C-Vol-32%2C-Issue-55-tp22964149p22964315.html
Sent from the OpenID - General mailing list archive at Nabble.com.
More information about the general
mailing list