[PROPOSAL] Changing the Default Session Type for Associations

[Recordon, David]

Currently the default encryption type for openid.session_type when
creating a new association is "no-encryption".  This stems from OpenID
Authentication 1.1 where when the parameter was not included in the
request it meant no encryption.  I'd recommend that this default value
be changed to "DH-SHA1" so that implementers have to specifically
request weaker security rather than explicitly having to request
stronger security when transporting the MAC key.  In a public
environment, no encryption should only be used when using transport
layer security.

The potential downside is that this will change the default value
between 1.1 and 2.0 messages.  I do not believe this is a strong enough
reason to not make this change, but rather it should be documented in
the "OpenID Authentication 1.1 Compatibility" section.  I know we're
very close to wrapping up the protocol, but feel this is important
enough to propose at this time.

--David