[OpenID] OpenID and HTTPS

Eric Norman ejnorman at doit.wisc.edu
Fri Feb 9 22:44:02 UTC 2007

On Feb 8, 2007, at 7:52 PM, Terrell Russell wrote:

> Eric Norman wrote:
>>     https://ejnorman.protectnetwork.org
>> All I got was an error that said something about invalid
>> OpenID URL.  I'm sorry I can't quote it here.  I was eventually
>> able to log in using just http instead.
>> My hunch is that this happened because the SSL certificate
>> for protectnetwork says it's idp.protectnetwork.org and
>> that doesn't match the DNS name I supplied (ejnorman...).
> I'd guess that's the problem.  Sounds like they need a wildcard cert to
> cover all the named subdomains.

I was hoping for something better than a guess.  I was hoping to
attract the attention of someone who knows.

However, assuming that the guess is correct, then the documentation
needs to be updated, and I don't know what it should say.  Should
the documentation say (1) if the http://user.domain... form of OpenID
URL is supported by an OP, then a wild card certificate MUST be
obtained, or (2) if that form is allowed, then "https" MUST NOT be
used when supplying an OpenID URL.  Either one seems to have security
or cost ramifications that should be mentioned.

Eric Norman

More information about the general mailing list