[Code] Encrypting communication between the OP and the RP

Russ Ferrill rferrill at vendorsafe.com
Fri Apr 13 02:56:54 UTC 2012 

Yes, I just want to be sure that nobody can intercept the communication between the OP and RP and cause the RP to believe that an unauthenticated user was actually authenticated or even to change the roles sent back for an authenticated user.

Is SSL sufficient for this?
Is there any stronger way to protect this data transfer?
Thanks.

Russ

From: Andrew Arnott [mailto:andrewarnott at gmail.com]
Sent: Thursday, April 12, 2012 7:51 PM
To: Russ Ferrill; openid-code at lists.openid.net
Subject: RE: [Code] Encrypting communication between the OP and the RP

As long as you don't mind the user who is logging in observing the data (not usually considered a problem) then SSL should be fine.  And yes, requireSsl=true is a good setting to enforce this.

Sent from my Windows Phone
________________________________
From: Russ Ferrill
Sent: 4/12/2012 1:05 PM
To: openid-code at lists.openid.net<mailto:openid-code at lists.openid.net>
Subject: [Code] Encrypting communication between the OP and the RP
Hello,

I am implementing an Open ID provider using the DNOA code. I want to be sure that the communication between the OP and the RP is secure. I'm only concerned about authentication requests and authentication responses. As far as I can tell from looking at the code this is all "indirect" communication accomplished by redirecting the end-user's browser. I want to be sure that the data included in the authentication request and the authentication response is encrypted. In order to accomplish this, do I have to do anything other than make the OP endpoint an https url protected by SSL? Would it be a good idea to set the require ssl configuration values to true? Is there anything else specific to the DNOA code that I need to configure or modify in order to support this?
Thanks.

Russ Ferrill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20120413/5d567f50/attachment-0001.html>

More information about the Code mailing list