Version 2.0 soon final?

2007-03-20 Thread Granqvist, Hans
OpenID 2.0 has been cooking for quite a while. When
will 2.0 be FCS?  

Hans

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: modulus and generator optional in association requests

2007-03-20 Thread Granqvist, Hans
> How did you / others deal with this? There are quite a few 
> ...

Same way that you do/propose -- by using the default values if they
are not present.

-Hans

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: modulus and generator optional in association requests

2007-03-20 Thread Johnny Bufu

On 20-Mar-07, at 1:36 PM, Granqvist, Hans wrote:

> Once something complex is optional, typically few will
> implement it, which means you can run into the inverse:
> implementations that do supply optional values run into parties
> that cannot treat those values correctly.
>
> This means that if one day the default DH values are regarded
> broken for any reason, it's a hard and cumbersome fix.
>
> There might be other security implications hidden here, not sure.

The fix would be to not use the default values, a feature that should  
be provided by the libraries. So the alternatives are broken  
functionality today vs potential security issues in the future, if DH  
with the default modulus will be broken.

How did you / others deal with this? There are quite a few RPs out  
there who treat these fields as optional, so I'm suspecting it's a  
library issue.


> Btw, what do you mean by "be consistent with section 4.1"?

Section 4.1.  Protocol Messages [2] says:

> Throughout this document, all OpenID message parameters are  
> REQUIRED, unless specifically marked as OPTIONAL.


Johnny

[...]
>> [1] http://openid.net/specs/openid- 
>> authentication-2_0-11.html#anchor19
>> [2] http://openid.net/specs/openid-authentication-2_0-11.html#anchor4
>> [3] http://groups.google.com/group/openid4java/browse_thread/thread/
>> f96a7b68bb15272d

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: modulus and generator optional in association requests

2007-03-20 Thread Josh Hoyt
On 3/20/07, Granqvist, Hans <[EMAIL PROTECTED]> wrote:
> Once something complex is optional, typically few will
> implement it, which means you can run into the inverse:
> implementations that do supply optional values run into parties
> that cannot treat those values correctly.

They are optional in OpenID 1, so the cat's already out of the bag.

I see no reason to make them required in OpenID 2, since this case
will already need to be implemented.

Josh
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: modulus and generator optional in association requests

2007-03-20 Thread Granqvist, Hans
Once something complex is optional, typically few will
implement it, which means you can run into the inverse: 
implementations that do supply optional values run into parties 
that cannot treat those values correctly. 

This means that if one day the default DH values are regarded 
broken for any reason, it's a hard and cumbersome fix. There 
might be other security implications hidden here, not sure. 

Btw, what do you mean by "be consistent with section 4.1"?

Hans


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Johnny Bufu
> Sent: Tuesday, March 20, 2007 1:07 PM
> To: OpenID specs list
> Subject: modulus and generator optional in association requests
> 
> Hello list!
> 
> The association request [1] seems to be insufficiently specified:  
> openid.dh_modulus and openid.dh_gen are not specifically 
> marked as optional, so according to the "Protocol Messages" 
> [2] section they should be mandatory.
> 
> However, while testing the openid4java code [3], it turns out 
> that RPs are not always sending these fields, which makes me 
> believe the intent of the default values was to make these 
> fields optional in association requests.
> 
> So I suggest we mark the two fields as OPTIONAL to both 
> clarify the usage and be consistent with section 4.1.
> 
> 
> Thanks,
> Johnny
> 
> 
> [1] http://openid.net/specs/openid-authentication-2_0-11.html#anchor19
> [2] http://openid.net/specs/openid-authentication-2_0-11.html#anchor4
> [3] http://groups.google.com/group/openid4java/browse_thread/thread/
> f96a7b68bb15272d
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
> 
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


modulus and generator optional in association requests

2007-03-20 Thread Johnny Bufu
Hello list!

The association request [1] seems to be insufficiently specified:  
openid.dh_modulus and openid.dh_gen are not specifically marked as  
optional, so according to the "Protocol Messages" [2] section they  
should be mandatory.

However, while testing the openid4java code [3], it turns out that  
RPs are not always sending these fields, which makes me believe the  
intent of the default values was to make these fields optional in  
association requests.

So I suggest we mark the two fields as OPTIONAL to both clarify the  
usage and be consistent with section 4.1.


Thanks,
Johnny


[1] http://openid.net/specs/openid-authentication-2_0-11.html#anchor19
[2] http://openid.net/specs/openid-authentication-2_0-11.html#anchor4
[3] http://groups.google.com/group/openid4java/browse_thread/thread/ 
f96a7b68bb15272d
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs