Just digging up an old thread and finding some interesting guesses at MySpace' OpenID support. Just feeling like defending someone here... :)<br><br><b>Does MySpace support OpenID 1.1? </b><br><i>No. </i>The individual user identifiers that MySpace issues only provides OpenID 2.0 discoverable endpoints. I also tried rigging up a delegating identifier that forces the RP to discover a 1.1 endpoint to MySpace, and MySpace choked on it. So it's a 2.0-only OP.<br>
<br><b>Which association types does MySpace support? </b><br>HMAC-SHA1 and HMAC-SHA256. This is in contradiction to earlier in this thread where MySpace allegedly didn't support HMAC-SHA1. <br><br><b>Why do we see HMAC-SHA512 coming from MySpace? Doesn't that compromise interoperability with RPs? Isn't this a deviation from the spec?</b><br>
MySpace uses HMAC-SHA512 for its private associations only, and this is an internal detail. It does <i>not</i> use these for shared associations (unless the RP specifically asks for them), so it should not adversely affect interoperability. Perhaps if some RPs are hard-coded to break if a signature is too long it might break, but IMO this is a poorly written RP if it even exists.
The spec doesn't forbid use of association types that are not described in the spec, either.<br><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">2009/4/7 John Bradley <span dir="ltr"><<a href="mailto:john.bradley@wingaa.com" target="_blank">john.bradley@wingaa.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Santrajan,<div><br></div><div>The symmetric encryption is key SHA1 or SHA256 is set per RP/OP association. </div><div><br></div><div>It would take some real bending of the protocol for the RP to have two associations and choose the one to use based on what the OP might send back.</div>
<div><br></div><div>It is also unlikely that PCI rules are going to allow any OP to store credit cards numbers and make them available via AX. </div><div>There is going to have to be something other than AX as it is now for authenticating financial transactions.</div>
<div><br></div><div>We also need to remember this signature is only intended to prevent tampering and is not used for encryption. </div><div>For AX including the attributes in the signed portion of the message is optional in any event.</div>
<div><br></div><div>Yes the OP may send back attributes that could be modified by the user without the RP knowing.</div><div><br></div><div>The AX 1.0 spec allows OP's and RPs to negotiate any sort of signing and/or encryption they like for attributes. </div>
<div>However there is no standard for that, so at the moment the most OPs can do is include the AX attributes in the signed part of the response.</div><div><br></div><div>We have talked for a while about the need for AX 2.0 to address some of the ambiguities and add things like encryption and structured attributes.</div>
<div><br></div><div>I am hopping work on that can get started soon!</div><div><br></div><div>John Bradley</div><div><br><div><div>On 7-Apr-09, at 7:23 PM, <a href="mailto:general-request@openid.net" target="_blank">general-request@openid.net</a> wrote:</div>
<br><blockquote type="cite"><span style="color: rgb(0, 0, 0); font-family: -webkit-monospace; font-size: 10px;">Date: Tue, 7 Apr 2009 18:56:52 -0700 (PDT)<div><br>From: santrajan <<a href="mailto:santrajan@gmail.com" target="_blank">santrajan@gmail.com</a>><br>
Subject: Re: [OpenID] My 2 Cents to the OpenID foundation<br>To:<span> </span><a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br></div>Message-ID: <<a href="mailto:22941702.post@talk.nabble.com" target="_blank">22941702.post@talk.nabble.com</a>><div>
<br>Content-Type: text/plain; charset=us-ascii<br><br><br></div><div>I think the degree of security required must be proportional to the value of<br>the information you are carrying. SHA1 is fine for basic profile data. You<br>
need SHA256 only for things like credit card no, social security no, bank<br>account no etc etc.<br><br><br>Allen Tom-2 wrote:<br><blockquote type="cite"><br></blockquote><blockquote type="cite">John Bradley wrote:<br></blockquote>
<blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Yahoo and I have an ongoing disagreement over the requirement for<span> </span><br></blockquote>
</blockquote><blockquote type="cite"><blockquote type="cite">openID 2.0 OPs to support HMAC-SHA256, they believe that HMAC-SHA1 is<span> </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">
sufficient. I think that if an RP ask for a SHA256 association they<span> </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">should support it. (Allen feel free to defend yourself:)<br>
</blockquote>
</blockquote><blockquote type="cite">Hi John,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I don't think any RP has asked us to support HMAC-SHA256, so we haven't<span> </span><br>
</blockquote><blockquote type="cite">gotten around to implementing it yet. As far as I can tell, Section 6.2<span> </span><br></blockquote><blockquote type="cite">of the OpenID 2.0 spec does not require OPs to support HMAC-SHA256.<br>
</blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Thanks<br></blockquote><blockquote type="cite">Allen<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote>
<blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">general mailing list<br></blockquote>
<blockquote type="cite"><a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br></blockquote><blockquote type="cite"><a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote></div></span><br></blockquote></div><br></div></div><br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>