<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Santrajan,<div><br></div><div>The symmetric encryption is key SHA1 or SHA256 is set per RP/OP association. </div><div><br></div><div>It would take some real bending of the protocol for the RP to have two associations and choose the one to use based on what the OP might send back.</div><div><br></div><div>It is also unlikely that PCI rules are going to allow any OP to store credit cards numbers and make them available via AX. </div><div>There is going to have to be something other than AX as it is now for authenticating financial transactions.</div><div><br></div><div>We also need to remember this signature is only intended to prevent tampering and is not used for encryption. </div><div>For AX including the attributes in the signed portion of the message is optional in any event.</div><div><br></div><div>Yes the OP may send back attributes that could be modified by the user without the RP knowing.</div><div><br></div><div>The AX 1.0 spec allows OP's and RPs to negotiate any sort of signing and/or encryption they like for attributes. </div><div>However there is no standard for that, so at the moment the most OPs can do is include the AX attributes in the signed part of the response.</div><div><br></div><div>We have talked for a while about the need for AX 2.0 to address some of the ambiguities and add things like encryption and structured attributes.</div><div><br></div><div>I am hopping work on that can get started soon!</div><div><br></div><div>John Bradley</div><div><br><div><div>On 7-Apr-09, at 7:23 PM, <a href="mailto:general-request@openid.net">general-request@openid.net</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: -webkit-monospace; font-size: 10px; ">Date: Tue, 7 Apr 2009 18:56:52 -0700 (PDT)<br>From: santrajan <<a href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>><br>Subject: Re: [OpenID] My 2 Cents to the OpenID foundation<br>To:<span class="Apple-converted-space"> </span><a href="mailto:general@openid.net">general@openid.net</a><br>Message-ID: <<a href="mailto:22941702.post@talk.nabble.com">22941702.post@talk.nabble.com</a>><br>Content-Type: text/plain; charset=us-ascii<br><br><br>I think the degree of security required must be proportional to the value of<br>the information you are carrying. SHA1 is fine for basic profile data. You<br>need SHA256 only for things like credit card no, social security no, bank<br>account no etc etc.<br><br><br>Allen Tom-2 wrote:<br><blockquote type="cite"><br></blockquote><blockquote type="cite">John Bradley wrote:<br></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Yahoo and I have an ongoing disagreement over the requirement for<span class="Apple-converted-space"> </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">openID 2.0 OPs to support HMAC-SHA256, they believe that HMAC-SHA1 is<span class="Apple-converted-space"> </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">sufficient. I think that if an RP ask for a SHA256 association they<span class="Apple-converted-space"> </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">should support it. (Allen feel free to defend yourself:)<br></blockquote></blockquote><blockquote type="cite">Hi John,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I don't think any RP has asked us to support HMAC-SHA256, so we haven't<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">gotten around to implementing it yet. As far as I can tell, Section 6.2<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">of the OpenID 2.0 spec does not require OPs to support HMAC-SHA256.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Thanks<br></blockquote><blockquote type="cite">Allen<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">general mailing list<br></blockquote><blockquote type="cite"><a href="mailto:general@openid.net">general@openid.net</a><br></blockquote><blockquote type="cite"><a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote></span><br class="Apple-interchange-newline"></blockquote></div><br></div></body></html>