[OpenID] Shared Secrets in the clear (Was: What's broken in OpenID 2.0? (IIW session))
Allen Tom
openid at allentom.com
Wed May 16 16:45:04 UTC 2007
Hi,
As I mentioned in yesterday's session, shared secrets can be returned in
the clear, without using Diffie-Hellman. This really should not be
allowed in the OpenID 2.0 spec.
Here are some example Association Requests using HTTP without Diffie
Helman using some of the well known public OPs:
AOL:
http://api.screenname.aol.com/auth/openidServer?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=associate&openid.session_type=no-encryption
MyOpenID
http://www.myopenid.com/server?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=associate&openid.session_type=no-encryption
Verisign Labs
http://pip.verisignlabs.com/server?openid.mode=associate
My recommendation is that Section 8.1.1 be rephrased to say that
openid.session_type=no-encryption is only allowed if HTTPS is used.
I also believe that RPs which are unable to use HTTPS should just
fallback to stateless mode, as this would help simplify the RP
implementation if the RP has very limited resources.
Allen
More information about the general
mailing list