OpenID Authentication 2.0 spec clarification - must OP support check_authentication direct verification?
John Bradley
john.bradley at wingaa.com
Fri Aug 27 16:34:13 UTC 2010
I don't know of anything less secure about stateless mode. Associations are a performance optimization not a security one.
John B.
On 2010-08-27, at 12:25 PM, Hans Granqvist wrote:
> Since stateless mode authentication is weak, it seems incorrect to say a
> provider must or should implement it.
>
>
> On Fri, Aug 27, 2010 at 12:20 AM, Yitzchak Scott-Thoennes <sthoenna at gmail.com> wrote:
> (David, sorry for sending this to you by accident instead of the list.)
>
> Should, not must?
>
> If must (and maybe even if should), then it seems it either should be
> illegal to have mode as a signed attribute or check_authentication
> should not be subject to signature checking (since the sender must
> change the mode attribute and isn't able to recalculate the signature,
> and in any case, the whole purpose is that the OP validate the
> signature received by the Relying Party.)
>
> On Fri, Aug 27, 2010 at 12:10 AM, David Recordon <recordond at gmail.com> wrote:
> > ugh, yes every provider should support check_authentication.
> >
> > On Thu, Aug 26, 2010 at 10:11 PM, Yitzchak Scott-Thoennes
> > <sthoenna at gmail.com> wrote:
> >>
> >> In the OpenID Authentication 2.0 spec, the Relying Party is obligated
> >> to use direct verification to check the signature when it does not have
> >> the association stored.
> >>
> >> But is an OP required to support check_authentication?
> >>
> >> There are certain providers that appear to not support it, always
> >> returning a failure.
> >>
> >> There are other providers that include mode as a signed attribute,
> >> and so reject the check_authentication as having an invalid signature
> >> (since the mode has changed).
> >>
> >> Can someone familiar with this comment, please?
> >> _______________________________________________
> >> specs mailing list
> >> specs at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-specs
> >
> >
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100827/3b770ad7/attachment.html>
More information about the specs
mailing list