modulus and generator optional in association requests
Johnny Bufu
johnny at sxip.com
Tue Mar 20 21:32:38 UTC 2007
On 20-Mar-07, at 1:36 PM, Granqvist, Hans wrote:
> Once something complex is optional, typically few will
> implement it, which means you can run into the inverse:
> implementations that do supply optional values run into parties
> that cannot treat those values correctly.
>
> This means that if one day the default DH values are regarded
> broken for any reason, it's a hard and cumbersome fix.
>
> There might be other security implications hidden here, not sure.
The fix would be to not use the default values, a feature that should
be provided by the libraries. So the alternatives are broken
functionality today vs potential security issues in the future, if DH
with the default modulus will be broken.
How did you / others deal with this? There are quite a few RPs out
there who treat these fields as optional, so I'm suspecting it's a
library issue.
> Btw, what do you mean by "be consistent with section 4.1"?
Section 4.1. Protocol Messages [2] says:
> Throughout this document, all OpenID message parameters are
> REQUIRED, unless specifically marked as OPTIONAL.
Johnny
[...]
>> [1] http://openid.net/specs/openid-
>> authentication-2_0-11.html#anchor19
>> [2] http://openid.net/specs/openid-authentication-2_0-11.html#anchor4
>> [3] http://groups.google.com/group/openid4java/browse_thread/thread/
>> f96a7b68bb15272d
More information about the specs
mailing list