[OpenID] Yahoo issue

Peter Williams pwilliams at rapattoni.com
Mon Feb 4 16:54:19 UTC 2008 

We didnt have any such obligation in SSL3 ...and yet it tookoff. Adding lots of committee-fication words in TLS1.0 made no difference to adoption in the world of baseline _interoperability_. (Arguably, it made formal compliance testing easier, for defense contractors selling TLS to the billion dollar DoD office systems procurement of the time)
 
Why was this so, in SSL3? Because there was a dominant interworking partner that essentially defined the basecase (Netscape). Myopenid.com plays that role, here, surely. Assurance that there has been comprehensive interworking with myopenid.com is surely what is called for.

________________________________

From: general-bounces at openid.net on behalf of Eddy Nigg (StartCom Ltd.)
Sent: Mon 2/4/2008 8:53 AM
To: Hans Granqvist
Cc: general at openid.net
Subject: Re: [OpenID] Yahoo issue


Hans Granqvist wrote: 

	Interestingly, the spec does not mandate implementation of
	any algorithm. Should it? (For comparison, TLS mandates
	algorithms for spec compliance: RFC 4346 section 9.)
	
	Also: should there be a way to extend the set of OpenID
	associations and authentication algorithms? (TLS has a
	mechanism for adding new algorithms, see for example
	RFC 2712)
	  

I would say both time yes? Any specific reason why not?


-- 

Regards 	
 	
Signer: 	 Eddy Nigg, StartCom Ltd. <http://www.startcom.org/> 	
Jabber: 	 startcom at startcom.org	
Blog: 	 Join the Revolution! <http://blog.startcom.org/> 	
Phone: 	 +1.213.341.0390	
 	


	Hans
	
	
	On 2/3/08, Allen Tom <atom at yahoo-inc.com> <mailto:atom at yahoo-inc.com>  wrote:
	  

		 Hi Shane,
		
		 The Yahoo OP does not support HMAC-SHA256 nor DH-SHA256, and thanks for
		pointing out that our error response is not correct. We'll fix this soon.
		
		 Thanks
		 Allen

More information about the general mailing list