[OpenID] Newby OpenID (1.1) questions

Andrew Arnott andrewarnott at gmail.com
Mon May 4 14:16:08 UTC 2009 

Inline...  Hope this helps.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


2009/5/4 coen at rtlinteractief.nl <coen at rtlinteractief.nl>

>  Hi All,
>
> I'm new to OpenID and reading up before implementation and I have a few
> questions. Sorry for the n00b level, but I did try to figure things out
> myself.
>
> Concerning 'OpenID Authentication 1.1'
>
First of all, just want to make sure that you're aware that OpenID  2.0 has
been out for a while, and a few of the very large providers don't even
support 1.1.

>
> * Paragraph 4.2.2.3, I cannot place the term 'opaque', what does it mean
> in this context? (I'm not a native English speaker(/reader))
>
It means that the receiving party should not try to interpret the value in
any way, and should preserve it exactly as received.

>
> * Paragraph 4.2.2..3 is missing a right parenthesis, where does it go?
>
At the end of the line.

>
> * Paragraph 4.3.2.2, openid.assoc_handle, I do not understand the meaning
> of 'to fine for', I tried different online translations, but can't work it
> out.
>
It's a typo.  It should read "Opaque association handle being used to
*find*the HMAC key for the signature."

>
>
> I think I got these, but would like them verified:
> * DH-SHA1 means using SHA1 for encrypting the mac key?
>
That's about right.  SHA-1 hashes rather than encrypts, and it isn't used
until after the MAC key is exchanged.  DH-SHA1 means use Diffie-Hellman to
encrypt the MAC key, and (if your code requires it) initialize your DH
session to expect the key size required for a SHA-1-sized key.

>
> * HMAC-SHA1 means using SHA1 for message authentication?  But if this is
> true, then what does the HMAC function do?
>
HMAC-SHA is a way of hashing that includes a shared secret in the algorithm
so that it generates a kind of signature that proves someone signed it using
a secret key.  HMAC-SHA1 is a single algorithm, so no, don't use a standard
SHA1 function here.  You need HMAC-SHA1 as a single operation.

>
> * The secret(..) function is a server side function encrypting the
> assoc_handle with whatever method the server desires?
>
No.  The assoc_handle is never encrypted.  secret(..) is a function that
fetches the shared secret by looking it up using the assoc_handle.

>
> * Delegating authentication as described in paragraph 3.1.1. is a
> single/one time step. There can be no delegation after delegation?
>
That's right.  Delegation results in an OP endpoint, claimed identifier and
OP local identifier, so there can be no delegation chaining.

>
> * Should the end user have to log in on the server in order for it to
> verify the claimed id, the difference between checkid_immediate and
> checkid_setup is that the first says a user should perform the
> authentication on the server (at the returned openid.user_setup_url) where
> the latter directly performs any required authentication?
>
The user must always log into the server before a positive identity
assertion is sent to the RP.  But if the user has already logged into their
OP and their session is still intact, that step need not be repeated.  This
is always true.  The difference between checkid_immediate and checkid_setup
is used by the RP when a background AJAX auth attempt is in progress to hint
to the OP that it must not display any UI to the user that it expects the
user to respond to since the user will never see it.  checkid_setup is most
commonly used, and means the OP can display whatever login UI it needs to in
order to send a positive assertion.  When the OP needs to display UI to
complete login but a checkid_immediate message is sent, it just replies
"no".

I'm currently reading the 2.0 specs, which raises (a lot of) new questions,
> but sure helped me understand the 1.1 better.
>
>
> Thanks a bunch,
>
> Coen
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090504/c8dbf2d3/attachment.htm>

More information about the general mailing list