IMPLEMENTOR WARNING: Non-compliant HMAC implementations

Brad Fitzpatrick brad at
Wed Jul 6 14:01:52 PDT 2005

On Wed, 6 Jul 2005, Martin Atkins wrote:

> Brad Fitzpatrick wrote:
> >
> > So is Net::OpenID::Consumer wrong or not?  I just used the code from
> > Digest::HMAC::SHA1 (on CPAN)... I didn't write it.
> >
> Well, even if no-one is technically wrong the OpenID spec should be
> spelling out exactly what format the hash should be in. Otherwise
> everyone using different libraries in different languages will be making
> incompatible digests, as we've already seen.

There's only one HMAC-SHA1.  I'm not going to recopy the RFC into the
OpenID specs page.  I'll go link it, though.

- Brad

More information about the yadis mailing list