[OpenID] Are all implementations created the same?
Guido Sohne
guido at sohne.net
Mon Apr 9 07:09:54 UTC 2007
On 4/8/07, Martin Foster <martin at ethereal-realms.org> wrote:
> The mac key that is derived on the consumer side is in fact different
> then the one that is generated on the server side. For the moment,
> since the consumer works fine against Livejournal.com, I have to assume
> that it is the server that is failing.
During the mac key generation, each machine chooses a random number,
so you will never see the same thing happening on both sides. The
final step before generating a hmac is to xor the sha1 of the shared
secret with the actual secret (assoc secret) that you will use for
future communications. You need to check that all these are generating
the correct output. The important thing is they come to the same
shared secret. Because once they do that, they have the same sha1, and
then they can recover the encryption key xored on the sha1 they add.
> All of the server tests passed, but it never attempted to associate
> using DH. So I can't check and see what may be wrong. Either way,
> tracking down a problem like that tends to be difficult because what you
> get even for a one character difference can be a radically different key.
Good luck; the 'fun' thing with the part is it doesn't work if you
don't have all the ducks lined up just so ...
-- G.
More information about the general
mailing list