<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Supporting DH encrypted key exchange is part of the existing 2.0 spec.<div><br></div><div>Yahoo and others argue that since they only support associations over SSL the DH encryption is redundant.</div><div><br></div><div>In recognition of that I modified the OSIS tests slightly so that the test is that the OP rejects No-Encryption Association sessions over http sessions.</div><div><a href="https://test-id.org/OP/AssociateHttpNoEncryption.aspx">https://test-id.org/OP/AssociateHttpNoEncryption.aspx</a></div><div><br></div><div>Supporting DH is still a requirement of the spec but it is more important to focus on stopping associations from happening in the clear.</div><div><br></div><div>I don't believe Yahoo's position is unreasonable on this.</div><div><br></div><div>John Bradley</div><div><br></div><div><div><div><br></div><blockquote type="cite"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: -webkit-monospace; font-size: 10px; ">Date: Tue, 17 Mar 2009 13:00:36 -0700<br>From: Martin Atkins <<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>><br>Subject: Re: [OpenID] Backwards Compatibility<br>To:<span class="Apple-converted-space"> </span><a href="mailto:general@openid.net">general@openid.net</a><br>Message-ID: <<a href="mailto:49C00164.5070709@degeneration.co.uk">49C00164.5070709@degeneration.co.uk</a>><br>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br><br>Allen Tom wrote:<br><blockquote type="cite"><br></blockquote><blockquote type="cite">If anything, I'd like to see things removed from 2.0, such as the DH key<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">exchange.<br></blockquote><blockquote type="cite"><br></blockquote><br>Why would the key exchange be removed? What would it be replaced with?<br><br></span></blockquote></div><br></div></body></html>