OpenID 2.0 proposed security profiles
Dick Hardt
dick at sxip.com
Thu Aug 31 06:24:20 UTC 2006
On 30-Aug-06, at 8:05 AM, Granqvist, Hans wrote:
> Profile A
> http://openid.net/auth/2.0/A
> 1. Yes
> 2. Yes
> 3. Http/Https/XRI
> 4. Yes
> 5. No
> 6. No
> 7. DH-SHA1/DH-SHA256
> 8. No
> 9. No
> 10. HMAC-SHA1/HMAC-SHA256
> 11. No
> 12. Yes
>
>
> Profile B
> http://openid.net/auth/2.0/B
> 1. Yes
> 2. No
> 3. Http/Https/XRI
> 4. Yes
> 5. No
> 6. No
> 7. No-encryption
> 8. No
> 9. No
> 10. HMAC-SHA1/HMAC-SHA256
> 11. Yes
> 12. Yes
It would seem the difference between A & B is:
No stateless-mode & ssociations over a secure channel
Would you elaborate on the risk profile here?
Perhaps it would be useful to order the items according the
"riskiness" of each one?
btw: I like the profile A and profile B names! :-)
-- Dick
More information about the yadis
mailing list