[OpenID] Are all implementations created the same?

Martin Foster martin at ethereal-realms.org
Sun Apr 8 23:56:06 UTC 2007 

Guido Sohne wrote:

> Am not sure I would be thrilled to read Perl. Things to check for the
> server side of things are
> 
> 1) Does Diffie Hellman key exchange work properly? Both server and
> client should arrive at the same shared secret. The client should be
> telling the server to use the DH-SHA1 method, too. You say you passed
> all the tests there, that means associate is working, but is it
> working via exchange through DH, or plaintext?
> 
> 2) When the server is responding to a check_id or check_immediate
> request, you usually need to test the assoc handle given and see if it
> belongs in your smart associations. If it does, you use that shared
> secret, and if it does not, you create a dumb association instead, and
> the consumer will go ahead and verify that with check_auth.
> 
> So it would seem you are either looking for the assoc handle presented
> in your dumb associations (smart ones should only be created via
> associate), or the associate is not working properly (unlikely, since
> you pass the associate test).
> 
> What do you do with the assoc handle given, and are you sure it is the
> same handle that you gave out earlier at associate time?
> 
> -- G.

The mac key that is derived on the consumer side is in fact different 
then the one that is generated on the server side.   For the moment, 
since the consumer works fine against Livejournal.com, I have to assume 
that it is the server that is failing.

This is the reason I asked if the Livejournal.com version working could 
be considered a valid test or not.  Because, if its an improper 
implementation, then I may be just barking up the wrong tree.

My script currently does checks to make sure that Associated handles are 
only from smart sessions.  Since the associations are stored in the 
database this is not overly hard to manage or follow as a result.

All of the server tests passed, but it never attempted to associate 
using DH.  So I can't check and see what may be wrong.  Either way, 
tracking down a problem like that tends to be difficult because what you 
get even for a one character difference can be a radically different key.

Thanks!

	Martin Foster
	Creator/Designer Ethereal Realms
	martin at ethereal-realms.org

More information about the general mailing list