[OpenID] pbwiki encounters (i.e. wiki.openid.net encounters)

Peter Williams pwilliams at rapattoni.com
Wed Dec 24 20:50:40 UTC 2008 



1.       The PBwiki service continues to cause me major grief when handing off to myopenid (anyone else see this!!?? Why just me!?) It sends bad messages to the OP, about 90% of the time. There is no recovery possibility. Sometimes it works, though, if you fiddle like a programmer (*)



2.       Be cute if their nice, new commenting feature (which accepts a URI) was openid enabled. Be much better experience than forcing members to type in name and an email. http://blog.pbwiki.com/2008/12/19/new-feature-now-readers-can-comment-on-wiki-pages/



3.       There are some basic security flaws in the  hosting model (when augmented with openid). The challenge delivered at the OP asks for release authority to my.pbwiki.com SP, which does not align with the fact that the previous page text (and the address bar) was making be believe I'm talking to wiki.openid.net.



4.      The OP reports: You must sign in to authenticate to http://my.pbwiki.com/ as http://homepw.myopenid.com/ . This is not what I asked for: I asked for identity verification of https://homepw.myopenid.com/. The handoff to the OP does seem to be over https though. I cannot tell if this is OP issue, SP issue, or the nature of OpenID Auth procedures.


5.       There are some basic security flaws in the  hosting model (when augmented with SSL). The foundation should buy its own cert, and let Pbwiki do proper SSL virtual hosting. This doesn't solve 3 though, which is rather more serious. They need to virtualize their openid SP realms - to match the wiki virtual hosting domains. They need to ensure the right hosted cert is used per openid (hosted) realm, and its reflected in the XRDS (see 8).


6.       Prior to the OP handoff, IE generates warnings about mixed content from multiple assurance zones.



7.       On releasing the assertion to my.pbwiki.com, the url is https://my.pbwiki.com//?p=openid&o=f&janrain_nonce=2008-12-24T20%3A18%3A15Z7bd4p0&openid1_claimed_id=https%3A%2F%2Fhomepw.myopenid.com%2F&openid.assoc_handle=%7BHMAC-SHA1%7D%7B49496232%7D%7B3wxYag%3D%3D%7D&openid.identity=https%3A%2F%2Fhomepw.myopenid.com%2F&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.myopenid.com%2Fserver&openid.response_nonce=2008-12-24T20%3A20%3A22Zng6R5h&openid.return_to=http%3A%2F%2Fmy.pbwiki.com%2F%2F%3Fp%3Dopenid%26o%3Df%26janrain_nonce%3D2008-12-24T20%253A18%253A15Z7bd4p0%26openid1_claimed_id%3Dhttps%253A%252F%252Fhomepw.myopenid.com%252F&openid.sig=G31sZRRUGcnvO9UitvBiQEjwF9A%3D&openid.signed=assoc_handle%2Cidentity%2Cmode%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned%2Csreg.email%2Csreg.fullname%2Csreg.nickname&openid.sreg.email=home_pw%40msn.com&openid.sreg.fullname=Peter+Williams&openid.sreg.nickname=peter<https://my.pbwiki.com/?p=openid&o=f&janrain_nonce=2008-12-24T20%3A18%3A15Z7bd4p0&openid1_claimed_id=https%3A%2F%2Fhomepw.myopenid.com%2F&openid.assoc_handle=%7BHMAC-SHA1%7D%7B49496232%7D%7B3wxYag%3D%3D%7D&openid.identity=https%3A%2F%2Fhomepw.myopenid.com%2F&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.myopenid.com%2Fserver&openid.response_nonce=2008-12-24T20%3A20%3A22Zng6R5h&openid.return_to=http%3A%2F%2Fmy.pbwiki.com%2F%2F%3Fp%3Dopenid%26o%3Df%26janrain_nonce%3D2008-12-24T20%253A18%253A15Z7bd4p0%26openid1_claimed_id%3Dhttps%253A%252F%252Fhomepw.myopenid.com%252F&openid.sig=G31sZRRUGcnvO9UitvBiQEjwF9A%3D&openid.signed=assoc_handle%2Cidentity%2Cmode%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned%2Csreg.email%2Csreg.fullname%2Csreg.nickname&openid.sreg.email=home_pw%40msn.com&openid.sreg.fullname=Peter+Williams&openid.sreg.nickname=peter> so evidently the perceived claim being verified by the SP is https://homepw not http://homepw. Is this an OP UI issue?



8.       The XRDS at http://my.pbwiki.com/xrds.php makes namespace assertions for its https cousin. Once the openid SP is properly virtualized, the wiki.openid.net realm will need to be published at https://wiki.openid.net/... , obviously.


HTTP/1.0 200 OK
Date: Wed, 24 Dec 2008 20:37:27 GMT
Server: Apache
Connection: close
Content-Type: application/xrds+xml

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
    xmlns:xrds="xri://$xrds"
    xmlns:openid="http://openid.net/xmlns/1.0"
    xmlns="xri://$xrd*($v*2.0)">
  <XRD>
    <Service priority="0">
      <Type>http://specs.openid.net/auth/2.0/return_to</Type>
      <URI>https://my.pbwiki.com//?p=openid</URI>
    </Service>
  </XRD>
</xrds:XRDS>




(*)it works quite predictably after a first failure if one tries a second time, but only if one uses the back menu to go to the "typein url" screen at my.pbwiki.com. Going back one screen to their post-handler just repeats the protocol violation. Somehow the race is sorted out, the second time around. (On refresh the second time, the graphic that causes the race in IE does not seem to render. HINT.)






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081224/0eff6d97/attachment-0001.htm>

More information about the general mailing list