modulus and generator optional in association requests
Granqvist, Hans
hgranqvist at verisign.com
Tue Mar 20 20:36:29 UTC 2007
Once something complex is optional, typically few will
implement it, which means you can run into the inverse:
implementations that do supply optional values run into parties
that cannot treat those values correctly.
This means that if one day the default DH values are regarded
broken for any reason, it's a hard and cumbersome fix. There
might be other security implications hidden here, not sure.
Btw, what do you mean by "be consistent with section 4.1"?
Hans
> -----Original Message-----
> From: specs-bounces at openid.net
> [mailto:specs-bounces at openid.net] On Behalf Of Johnny Bufu
> Sent: Tuesday, March 20, 2007 1:07 PM
> To: OpenID specs list
> Subject: modulus and generator optional in association requests
>
> Hello list!
>
> The association request [1] seems to be insufficiently specified:
> openid.dh_modulus and openid.dh_gen are not specifically
> marked as optional, so according to the "Protocol Messages"
> [2] section they should be mandatory.
>
> However, while testing the openid4java code [3], it turns out
> that RPs are not always sending these fields, which makes me
> believe the intent of the default values was to make these
> fields optional in association requests.
>
> So I suggest we mark the two fields as OPTIONAL to both
> clarify the usage and be consistent with section 4.1.
>
>
> Thanks,
> Johnny
>
>
> [1] http://openid.net/specs/openid-authentication-2_0-11.html#anchor19
> [2] http://openid.net/specs/openid-authentication-2_0-11.html#anchor4
> [3] http://groups.google.com/group/openid4java/browse_thread/thread/
> f96a7b68bb15272d
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
More information about the specs
mailing list