[OpenID] MySpaceID, Activity Streams, Portable Contacts on OpenID.net
Allen Tom
atom at yahoo-inc.com
Thu Apr 9 02:34:20 UTC 2009
Santosh Rajan wrote:
> My understanding of the OpenID 2.0 specification is the following and I dont
> think MySpace is compliant.
> 1) The RP should able to negotiate a SHA1 or SHA256 handle. MySpace does not
> support SHA1.
>
My interpretation of Section 6.2 of the OpenID 2.0 spec is that OPs can
support either HMAC-SHA1, or HMAC-SHA256, or both.
FWIW, Yahoo only supports HMAC-SHA1, and does not support HMAC-SHA256.
> 2) MySpace does not support session type "no encryption", In which case an
> RP might want to go for stateless mode. They hit you with SHA512 in
> stateless mode! Where did that come from?
>
>
Section 8.1.1 says that "no-encryption" MUST NOT be used unless
transport layer encryption is used. I believe that the MySpace OP
doesn't use HTTPS, so they can't use no-encryption for association requests.
I believe that MySpace is fully compliant with the OpenID 2.0 spec. It
would be nice if they supported directed identity, so that users can
type in "myspace.com", but this behavior is not required by the spec.
Allen
More information about the general
mailing list