<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Adding OAuth signature methods, including RSA-SHA1, to OpenID 2.1 is
supposed to happen. It is probably not a good idea to return RSA keys
via association requests for unregistered consumers though.<br>
<br>
Allen<br>
<br>
<br>
Breno de Medeiros wrote:
<blockquote
cite="mid:29fb00360811131746w7f359a45xa375db44fb0219e3@mail.gmail.com"
type="cite">
<pre wrap="">2008/11/13 Allen Tom <a class="moz-txt-link-rfc2396E" href="mailto:atom@yahoo-inc.com"><atom@yahoo-inc.com></a>:
</pre>
<blockquote type="cite">
<pre wrap="">In the registered consumer case, why not just do:
openid.assoc_handle=consumer_key
openid.mac_key=consumer_secret
</pre>
</blockquote>
<pre wrap=""><!---->
This implies that the consumer key is HMAC-SHA1. What if it is RSA?
</pre>
<blockquote type="cite">
<pre wrap="">?
In the unregistered consumer case, the OpenID association request could be
extended to hand out Consumer keys, which are then used as the association
handle. The scopes and realm could be passed to the association request as
well.
Allen
Dirk Balfanz wrote:
Yes, I can see how that would happen.
So how about for OPs who tie scope to Consumer Keys, their
openid.oauth.scope syntax would look something like this:
openid.oauth.scope=consumer_key:scope1,scope2,scope3
Or, if there is a one-to-one mapping from consumer_key to scope, simply like
this:
openid.oauth.scope=consumer_key
Dirk.
On Thu, Nov 13, 2008 at 2:04 PM, Darren Bounds <a class="moz-txt-link-rfc2396E" href="mailto:darren@cliqset.com"><darren@cliqset.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Certainly but the consumer context you display to the user is falsely
represented based solely on the realm in that circumstance.
Sent from a mobile device.
On Nov 13, 2008, at 4:58 PM, Dirk Balfanz <a class="moz-txt-link-rfc2396E" href="mailto:balfanz@google.com"><balfanz@google.com></a> wrote:
On Thu, Nov 13, 2008 at 1:45 PM, Allen Tom <a class="moz-txt-link-rfc2396E" href="mailto:atom@yahoo-inc.com"><atom@yahoo-inc.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Dirk Balfanz wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I don't think this is true - I believe the realm is sufficient. Let me
try and explain. (We'll assume registered consumers.) On the approval page,
we need to identify the consumer. In its current form, the spec basically
assumes that you're gonna use the realm for that.
</pre>
</blockquote>
<pre wrap="">You're assuming that a realm has only one CK. A site might have multiple
consumer keys, with different scopes attached to them...
</pre>
</blockquote>
<pre wrap="">Actually, I wasn't assuming that. At access token request time, you follow
the map from consumer-key to realm (that's the direction you can do, right)?
If that's a many-to-one map then this will give you one realm. Then you
check whether that's the realm that the request token was issued to.
The one thing you're losing is that you can't, at approval time, figure
out whether that realm is requesting a scope that they have access to. So a
realm could ask for a certain scope in their auth request, the user approves
it, and then at access-token-request time, you won't issue the token b/c
they're using a CK that doesn't have enough privileges. It's still secure,
but gives you a crappy user experience if the consumer mixes up their CKs.
Wait - I think I have an idea: what if the Yahoo-specific way of
requesting the scope is to include the CK into the openid.oauth.scope
parameter? That way, you can at approval time make sure that they are
requesting a scope that they are actually authorized to pick up. This
wouldn't be for security purposes - just as a way to make sure the user
experience isn't surprising.
Dirk.
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
</body>
</html>