Currently the default encryption type for openid.session_type when creating a new association is "no-encryption". This stems from OpenID Authentication 1.1 where when the parameter was not included in the request it meant no encryption. I'd recommend that this default value be changed to "DH-SHA1" so that implementers have to specifically request weaker security rather than explicitly having to request stronger security when transporting the MAC key. In a public environment, no encryption should only be used when using transport layer security.
The potential downside is that this will change the default value between 1.1 and 2.0 messages. I do not believe this is a strong enough reason to not make this change, but rather it should be documented in the "OpenID Authentication 1.1 Compatibility" section. I know we're very close to wrapping up the protocol, but feel this is important enough to propose at this time. --David _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
