<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="-1"><font face="Helvetica, Arial, sans-serif">Hi Andrew,<br>
<br>
Thank you for your input. I knew about OpenID 2.0, but thought it best
to get a general idea of OpenID by reading the 1.0 specs.<br>
<br>
<br>
</font></font>
<div class="moz-signature">
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
<title>Signature</title>
<small style="font-family: Helvetica,Arial,sans-serif;">Met
vriendelijke groet / With kind regards / mit besten Grüßen,</small><br>
<br>
<br>
<table style="text-align: left; width: 177px; height: 124px;" border="0"
cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td
style="width: 26px; background-color: rgb(255, 153, 0); text-align: right; vertical-align: bottom;"
colspan="1" rowspan="4"><img
style="border: 0px solid ; width: 26px; height: 107px;" alt=""
src="cid:part1.08020903.01010308@rtlinteractief.nl" hspace="0"
vspace="0"><br>
</td>
<td style="width: 5px;"><br>
</td>
<td><small><span style="font-family: Helvetica,Arial,sans-serif;"></span></small><small
style="font-family: Helvetica,Arial,sans-serif; font-weight: bold;">Coen
Schalkwijk</small><br>
<small style="font-family: Helvetica,Arial,sans-serif;"><small
style="font-style: italic;">Software Engineer</small></small></td>
</tr>
<tr>
<td><br>
</td>
<td><small><small style="font-family: Helvetica,Arial,sans-serif;"><a
href="mailto:coen.schalkwijk@rtl.nl">coen.schalkwijk@rtl.nl</a></small></small></td>
</tr>
<tr>
<td><br>
</td>
<td><small><small style="font-family: Helvetica,Arial,sans-serif;"><a
href="mailto:coen@rtlinteractief.nl">coen@rtlinteractief.nl</a></small></small></td>
</tr>
<tr>
<td><br>
</td>
<td><small><small style="font-family: Helvetica,Arial,sans-serif;">+31
(0)35
671 8915</small></small></td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<br>
Andrew Arnott wrote:
<blockquote
cite="mid:216e54900905040716x5141cc0bn445af1f46b464d84@mail.gmail.com"
type="cite">Inline... Hope this helps.<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - Voltaire<br>
<br>
<br>
<div class="gmail_quote">2009/5/4 <a moz-do-not-send="true"
href="mailto:coen@rtlinteractief.nl">coen@rtlinteractief.nl</a> <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:coen@rtlinteractief.nl">coen@rtlinteractief.nl</a>></span><br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><font size="-1"><font
face="Helvetica, Arial, sans-serif">Hi All,<br>
<br>
I'm new to OpenID and reading up before implementation and I have a few
questions. Sorry for the n00b level, but I did try to figure things out
myself.<br>
<br>
Concerning 'OpenID Authentication 1.1'</font></font></div>
</blockquote>
<div>First of all, just want to make sure that you're aware that
OpenID 2.0 has been out for a while, and a few of the very large
providers don't even support 1.1.<br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><font size="-1"><font
face="Helvetica, Arial, sans-serif"><br>
* Paragraph 4.2.2.3, </font></font>I cannot place the term 'opaque',
what does it mean in this context? (I'm not a native English
speaker(/reader))</div>
</blockquote>
<div>It means that the receiving party should not try to interpret
the value in any way, and should preserve it exactly as received. <br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><br>
* Paragraph 4.2.2..3 is missing a right parenthesis, where does it go?</div>
</blockquote>
<div>At the end of the line. <br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><br>
* Paragraph 4.3.2.2, openid.assoc_handle, I do not understand the
meaning of 'to fine for', I tried different online translations, but
can't work it out. </div>
</blockquote>
<div>It's a typo. It should read "<span class="Apple-style-span"
style="border-collapse: separate; color: rgb(0, 0, 0); font-family: verdana; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Opaque
association handle being used to <b>find</b> the HMAC key for the
signature."</span> </div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><br>
<br>
<font size="-1"><font face="Helvetica, Arial, sans-serif">I think I
got
these, but would like them verified:<br>
* DH-SHA1 means using SHA1 for encrypting the mac key?</font></font></div>
</blockquote>
<div>That's about right. SHA-1 hashes rather than encrypts, and it
isn't used until after the MAC key is exchanged. DH-SHA1 means use
Diffie-Hellman to encrypt the MAC key, and (if your code requires it)
initialize your DH session to expect the key size required for a
SHA-1-sized key.<br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><font size="-1"><font
face="Helvetica, Arial, sans-serif"><br>
* HMAC-SHA1 means using SHA1 for message authentication? But if this
is true, then what does the HMAC function do?</font></font></div>
</blockquote>
<div>HMAC-SHA is a way of hashing that includes a shared secret in
the algorithm so that it generates a kind of signature that proves
someone signed it using a secret key. HMAC-SHA1 is a single algorithm,
so no, don't use a standard SHA1 function here. You need HMAC-SHA1 as
a single operation.<br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><font size="-1"><font
face="Helvetica, Arial, sans-serif"><br>
* The secret(..) function is a server side function encrypting the
assoc_handle with whatever method the server desires?</font></font></div>
</blockquote>
<div>No. The assoc_handle is never encrypted. secret(..) is a
function that fetches the shared secret by looking it up using the
assoc_handle. <br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><font size="-1"><font
face="Helvetica, Arial, sans-serif"><br>
* Delegating authentication as described in paragraph 3.1.1. is a
single/one time step. There can be no delegation after delegation?</font></font></div>
</blockquote>
<div>That's right. Delegation results in an OP endpoint, claimed
identifier and OP local identifier, so there can be no delegation
chaining.<br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><font size="-1"><font
face="Helvetica, Arial, sans-serif"><br>
* Should the end user have to log in on the server in order for it to
verify the claimed id, the difference between checkid_immediate and
checkid_setup is that the first says a user should perform the
authentication on the server (at the returned openid.user_setup_url)
where the latter directly performs any required authentication?</font></font></div>
</blockquote>
<div>The user must always log into the server before a positive
identity assertion is sent to the RP. But if the user has already
logged into their OP and their session is still intact, that step need
not be repeated. This is always true. The difference between
checkid_immediate and checkid_setup is used by the RP when a background
AJAX auth attempt is in progress to hint to the OP that it must not
display any UI to the user that it expects the user to respond to since
the user will never see it. checkid_setup is most commonly used, and
means the OP can display whatever login UI it needs to in order to send
a positive assertion. When the OP needs to display UI to complete
login but a checkid_immediate message is sent, it just replies "no".<br>
<br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">I'm currently reading the 2.0
specs, which raises (a lot
of) new questions, but sure helped me understand the 1.1 better.<br>
<br>
<br>
Thanks a bunch,<br>
<font color="#888888"><br>
Coen
</font></div>
<br>
_______________________________________________<br>
general mailing list<br>
<a moz-do-not-send="true" href="mailto:general@openid.net">general@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
</blockquote>
</div>
<br>
</blockquote>
</body>
</html>