[OpenID] Newby OpenID (1.1) questions

coen at rtlinteractief.nl coen at rtlinteractief.nl
Tue May 5 10:36:01 UTC 2009 

Hi Andrew,

Thank you for your input. I knew about OpenID 2.0, but thought it best 
to get a general idea of OpenID by reading the 1.0 specs.


Met vriendelijke groet / With kind regards / mit besten Grüßen,



	
	Coen Schalkwijk
Software Engineer

	coen.schalkwijk at rtl.nl <mailto:coen.schalkwijk at rtl.nl>

	coen at rtlinteractief.nl <mailto:coen at rtlinteractief.nl>

	+31 (0)35 671 8915




Andrew Arnott wrote:
> Inline...  Hope this helps.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the 
> death your right to say it." - Voltaire
>
>
> 2009/5/4 coen at rtlinteractief.nl <mailto:coen at rtlinteractief.nl> 
> <coen at rtlinteractief.nl <mailto:coen at rtlinteractief.nl>>
>
>     Hi All,
>
>     I'm new to OpenID and reading up before implementation and I have
>     a few questions. Sorry for the n00b level, but I did try to figure
>     things out myself.
>
>     Concerning 'OpenID Authentication 1.1'
>
> First of all, just want to make sure that you're aware that OpenID  
> 2.0 has been out for a while, and a few of the very large providers 
> don't even support 1.1.
>
>
>     * Paragraph 4.2.2.3, I cannot place the term 'opaque', what does
>     it mean in this context? (I'm not a native English speaker(/reader))
>
> It means that the receiving party should not try to interpret the 
> value in any way, and should preserve it exactly as received.
>
>
>     * Paragraph 4.2.2..3 is missing a right parenthesis, where does it go?
>
> At the end of the line.
>
>
>     * Paragraph 4.3.2.2, openid.assoc_handle, I do not understand the
>     meaning of 'to fine for', I tried different online translations,
>     but can't work it out.
>
> It's a typo.  It should read "Opaque association handle being used to 
> *find* the HMAC key for the signature."
>
>
>
>     I think I got these, but would like them verified:
>     * DH-SHA1 means using SHA1 for encrypting the mac key?
>
> That's about right.  SHA-1 hashes rather than encrypts, and it isn't 
> used until after the MAC key is exchanged.  DH-SHA1 means use 
> Diffie-Hellman to encrypt the MAC key, and (if your code requires it) 
> initialize your DH session to expect the key size required for a 
> SHA-1-sized key.
>
>
>     * HMAC-SHA1 means using SHA1 for message authentication?  But if
>     this is true, then what does the HMAC function do?
>
> HMAC-SHA is a way of hashing that includes a shared secret in the 
> algorithm so that it generates a kind of signature that proves someone 
> signed it using a secret key.  HMAC-SHA1 is a single algorithm, so no, 
> don't use a standard SHA1 function here.  You need HMAC-SHA1 as a 
> single operation.
>
>
>     * The secret(..) function is a server side function encrypting the
>     assoc_handle with whatever method the server desires?
>
> No.  The assoc_handle is never encrypted.  secret(..) is a function 
> that fetches the shared secret by looking it up using the assoc_handle.
>
>
>     * Delegating authentication as described in paragraph 3.1.1. is a
>     single/one time step. There can be no delegation after delegation?
>
> That's right.  Delegation results in an OP endpoint, claimed 
> identifier and OP local identifier, so there can be no delegation 
> chaining.
>
>
>     * Should the end user have to log in on the server in order for it
>     to verify the claimed id, the difference between checkid_immediate
>     and checkid_setup is that the first says a user should perform the
>     authentication on the server (at the returned
>     openid.user_setup_url) where the latter directly performs any
>     required authentication?
>
> The user must always log into the server before a positive identity 
> assertion is sent to the RP.  But if the user has already logged into 
> their OP and their session is still intact, that step need not be 
> repeated.  This is always true.  The difference between 
> checkid_immediate and checkid_setup is used by the RP when a 
> background AJAX auth attempt is in progress to hint to the OP that it 
> must not display any UI to the user that it expects the user to 
> respond to since the user will never see it.  checkid_setup is most 
> commonly used, and means the OP can display whatever login UI it needs 
> to in order to send a positive assertion.  When the OP needs to 
> display UI to complete login but a checkid_immediate message is sent, 
> it just replies "no".
>
>     I'm currently reading the 2.0 specs, which raises (a lot of) new
>     questions, but sure helped me understand the 1.1 better.
>
>
>     Thanks a bunch,
>
>     Coen
>
>     _______________________________________________
>     general mailing list
>     general at openid.net <mailto:general at openid.net>
>     http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090505/ce05e679/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nav_balk_rtlnl_logo.gif
Type: image/gif
Size: 389 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090505/ce05e679/attachment-0002.gif>

More information about the general mailing list