Notes From Draft 10
Hans Granqvist
hgranqvist at verisign.com
Mon Oct 16 22:26:23 UTC 2006
Marius Scurtescu wrote:
> On 16-Oct-06, at 2:44 PM, Josh Hoyt wrote:
>
>
>>On 10/16/06, Recordon, David <drecordon at verisign.com> wrote:
>>
>>>6.1 Signed List Algorithm
>>
>>[...]
>>
>>>I'm thinking it would make sense to
>>>change this algorithm to first alphabetically sort the arguments
>>>to make
>>>it very clear in terms of ordering.
>>
>>I think it's a good idea to say that the signed list MUST be generated
>>by the IdP in that order. Then signature *verification* is compatible
>>with OpenID 1's algorithm. Unless there is objection, I'll do this.
>
>
> Sorting of unicode strings while not terrible hard it is not trivial
> either. Why bother? The list of signed fields gives an explicit
> ordering, this is good enough IMO.
>
> Why would be an alphabetically sorted list better?
>
I agree.
What's the security benefit of forcing the protocol to use a
specific order?
The signed list has an inherent order that can change should attacks
come to light in the future. Why remove that possibility?
Hans
More information about the specs
mailing list