[OpenID] My 2 Cents to the OpenID foundation

Andrew Arnott andrewarnott at gmail.com
Sun Jul 5 21:31:35 UTC 2009 

Just digging up an old thread and finding some interesting guesses at
MySpace' OpenID support.  Just feeling like defending someone here... :)

*Does MySpace support OpenID 1.1?  *
*No.  *The individual user identifiers that MySpace issues only provides
OpenID 2.0 discoverable endpoints.  I also tried rigging up a delegating
identifier that forces the RP to discover a 1.1 endpoint to MySpace, and
MySpace choked on it.  So it's a 2.0-only OP.

*Which association types does MySpace support? *
HMAC-SHA1 and HMAC-SHA256.  This is in contradiction to earlier in this
thread where MySpace allegedly didn't support HMAC-SHA1.

*Why do we see HMAC-SHA512 coming from MySpace?  Doesn't that compromise
interoperability with RPs? Isn't this a deviation from the spec?*
MySpace uses HMAC-SHA512 for its private associations only, and this is an
internal detail.  It does *not* use these for shared associations (unless
the RP specifically asks for them), so it should not adversely affect
interoperability.  Perhaps if some RPs are hard-coded to break if a
signature is too long it might break, but IMO this is a poorly written RP if
it even exists.  The spec doesn't forbid use of association types that are
not described in the spec, either.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


2009/4/7 John Bradley <john.bradley at wingaa.com>

> Santrajan,
> The symmetric encryption is key SHA1 or SHA256 is set per RP/OP
> association.
>
> It would take some real bending of the protocol for the RP to have two
> associations and choose the one to use based on what the OP might send back.
>
> It is also unlikely that PCI rules are going to allow any OP to store
> credit cards numbers and make them available via AX.
> There is going to have to be something other than AX as it is now for
> authenticating financial transactions.
>
> We also need to remember this signature is only intended to prevent
> tampering and is not used for encryption.
> For AX including the attributes in the signed portion of the message is
> optional in any event.
>
> Yes the OP may send back attributes that could be modified by the user
> without the RP knowing.
>
> The AX 1.0 spec allows OP's and RPs to negotiate any sort of signing
> and/or encryption they like for attributes.
> However there is no standard for that,  so at the moment the most OPs can
> do is include the AX attributes in the signed part of the response.
>
> We have talked for a while about the need for AX 2.0 to address some of the
> ambiguities and add things like encryption and structured attributes.
>
> I am hopping work on that can get started soon!
>
> John Bradley
>
> On 7-Apr-09, at 7:23 PM, general-request at openid.net wrote:
>
> Date: Tue, 7 Apr 2009 18:56:52 -0700 (PDT)
> From: santrajan <santrajan at gmail.com>
> Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
> To: general at openid.net
> Message-ID: <22941702.post at talk.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> I think the degree of security required must be proportional to the value
> of
> the information you are carrying. SHA1 is fine for basic profile data. You
> need SHA256 only for things like credit card no, social security no, bank
> account no etc etc.
>
>
> Allen Tom-2 wrote:
>
>
> John Bradley wrote:
>
>
> Yahoo and I have an ongoing disagreement over the requirement for
>
> openID 2.0 OPs to support HMAC-SHA256,  they believe that HMAC-SHA1 is
>
> sufficient. I think that if an RP ask for a SHA256 association they
>
> should support it.  (Allen feel free to defend yourself:)
>
> Hi John,
>
>
> I don't think any RP has asked us to support HMAC-SHA256, so we haven't
>
> gotten around to implementing it yet. As far as I can tell, Section 6.2
>
> of the OpenID 2.0 spec does not require OPs to support HMAC-SHA256.
>
>
> Thanks
>
> Allen
>
>
>
>
>
> _______________________________________________
>
> general mailing list
>
> general at openid.net
>
> http://openid.net/mailman/listinfo/general
>
>
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090705/cd1a871d/attachment.htm>

More information about the general mailing list