[OpenID] Shared Secrets in the clear (Was: What's broken in OpenID 2.0? (IIW session))
John Panzer
jpanzer at aol.net
Wed May 16 17:33:04 UTC 2007
Allen Tom wrote:
> Hi,
>
> As I mentioned in yesterday's session, shared secrets can be returned in
> the clear, without using Diffie-Hellman. This really should not be
> allowed in the OpenID 2.0 spec.
>
> Here are some example Association Requests using HTTP without Diffie
> Helman using some of the well known public OPs:
>
> AOL:
> http://api.screenname.aol.com/auth/openidServer?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=associate&openid.session_type=no-encryption
>
When would this URL be generated? (The normal mode is of course to use
HTTPS.) Sorry, I missed the session yesterday.
> MyOpenID
> http://www.myopenid.com/server?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=associate&openid.session_type=no-encryption
>
> Verisign Labs
> http://pip.verisignlabs.com/server?openid.mode=associate
>
> My recommendation is that Section 8.1.1 be rephrased to say that
> openid.session_type=no-encryption is only allowed if HTTPS is used.
>
> I also believe that RPs which are unable to use HTTPS should just
> fallback to stateless mode, as this would help simplify the RP
> implementation if the RP has very limited resources.
>
> Allen
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
More information about the general
mailing list