RE: modulus and generator optional in association requests
> How did you / others deal with this? There are quite a few > ... Same way that you do/propose -- by using the default values if they are not present. -Hans ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: modulus and generator optional in association requests
On 20-Mar-07, at 1:36 PM, Granqvist, Hans wrote: > Once something complex is optional, typically few will > implement it, which means you can run into the inverse: > implementations that do supply optional values run into parties > that cannot treat those values correctly. > > This means that if one day the default DH values are regarded > broken for any reason, it's a hard and cumbersome fix. > > There might be other security implications hidden here, not sure. The fix would be to not use the default values, a feature that should be provided by the libraries. So the alternatives are broken functionality today vs potential security issues in the future, if DH with the default modulus will be broken. How did you / others deal with this? There are quite a few RPs out there who treat these fields as optional, so I'm suspecting it's a library issue. > Btw, what do you mean by "be consistent with section 4.1"? Section 4.1. Protocol Messages [2] says: > Throughout this document, all OpenID message parameters are > REQUIRED, unless specifically marked as OPTIONAL. Johnny [...] >> [1] http://openid.net/specs/openid- >> authentication-2_0-11.html#anchor19 >> [2] http://openid.net/specs/openid-authentication-2_0-11.html#anchor4 >> [3] http://groups.google.com/group/openid4java/browse_thread/thread/ >> f96a7b68bb15272d ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: modulus and generator optional in association requests
On 3/20/07, Granqvist, Hans <[EMAIL PROTECTED]> wrote: > Once something complex is optional, typically few will > implement it, which means you can run into the inverse: > implementations that do supply optional values run into parties > that cannot treat those values correctly. They are optional in OpenID 1, so the cat's already out of the bag. I see no reason to make them required in OpenID 2, since this case will already need to be implemented. Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: modulus and generator optional in association requests
Once something complex is optional, typically few will implement it, which means you can run into the inverse: implementations that do supply optional values run into parties that cannot treat those values correctly. This means that if one day the default DH values are regarded broken for any reason, it's a hard and cumbersome fix. There might be other security implications hidden here, not sure. Btw, what do you mean by "be consistent with section 4.1"? Hans > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Johnny Bufu > Sent: Tuesday, March 20, 2007 1:07 PM > To: OpenID specs list > Subject: modulus and generator optional in association requests > > Hello list! > > The association request [1] seems to be insufficiently specified: > openid.dh_modulus and openid.dh_gen are not specifically > marked as optional, so according to the "Protocol Messages" > [2] section they should be mandatory. > > However, while testing the openid4java code [3], it turns out > that RPs are not always sending these fields, which makes me > believe the intent of the default values was to make these > fields optional in association requests. > > So I suggest we mark the two fields as OPTIONAL to both > clarify the usage and be consistent with section 4.1. > > > Thanks, > Johnny > > > [1] http://openid.net/specs/openid-authentication-2_0-11.html#anchor19 > [2] http://openid.net/specs/openid-authentication-2_0-11.html#anchor4 > [3] http://groups.google.com/group/openid4java/browse_thread/thread/ > f96a7b68bb15272d > ___ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
