[OpenID] Bug in OpenID RP implementations

Peter Williams pwilliams at rapattoni.com
Thu Jan 1 16:38:38 UTC 2009 

So, what  I am supposed to do to figure which https CAs works at nerdbank's ISP? This limits which https openid I can buy!

I supposed I could trawl through the list in Mozilla, alphabetically, and pay $100 each time, and see which ones Nerdbank accepts (but Plaxo doesn't, but AOL does, but...BlogSpot doesnt)

 Nerdbank is just one of 26,000 openid-accepting RP sites - all doing  https discovery - that I could have picked on, note.




I suppose the next openid trial should be to go back to XRI. I half recall I one time had an XRI something like *freeid*lockbox which could be made to actually do a 30x redirect. Let's see what happens if I put https://cacert.at/homepw in its redirector.

Given the semantics of HXRI, isn't the XRI/XDI authority endorsing the redirect URLs it introduces, in some authorization/control sense?

In the native trusted resolution mode of XRI Resolution 2, perhaps the signed assertion should be sending back to the resolver library the certid of the SSL authority it advises some particular affiliate network to respect, when using those redirects. I.e. the CA chain its willing to validate.

CX could do the same kind of thing, of course: make openid endpoints that are themselves proxies for XRI trusted resolution mode supping affiliate statements to the CX consumers.


From: Andrew Arnott [mailto:andrewarnott at gmail.com]
Sent: Thursday, January 01, 2009 6:39 AM
To: Peter Williams
Cc: OpenID List
Subject: Re: Bug in OpenID RP implementations

I don't think we need a federation built up around trusting certificates.  We already have the certificate authority (CA) model.  I think to get your OpenID working everywhere, you need everyone to start trusting the CA that signed your HTTPS cert, or you need to get a new HTTPS cert that is signed by a more well-known CA (the latter being easier, of course).

As far as the sites you listed that already accept it, either they happen to trust your CA already, or they don't verify that the CA is in a trusted list at all, which is actually quite insecure IMO.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Wed, Dec 31, 2008 at 10:57 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

I don't know that the AOL protocol bug is, to be honest. I did wonder  (5% fidelity) given the common AOL relationship if it was the same as mine, which really showed up with an AOL-related RP (mapquest) last week - when an AOL login page showed up , with some bizarre (obviously buggy) formatting, once I pointed the mapquest RP to my own OP (myopenid)  -- via that Austrian URL.



In general :-

AOL rejects my .at URL (rather bizarrely, initiated from mapquest). Nerdbank rejects it. Plaxo rejects it. Pbwiki accepts it. Foundation membership accepts it. Foundation blog accepts it..



Is this a bug? Or just a feature of openid?



As a user I think I expect "Foundation-related" RPs to be in some kind of network - call it an "affiliation" perhaps. What the foundation accepts, all its "peers RP" accept - including that stuff about CAs.

What Rapattoni accepts, perhaps other US realty sites accept.



I don't know really know what the CX proposal contemplates, either. Hopefully it can make my  .at openid work at AOL/mapquest. It may have to address the CA stuff. Rather than some happenstance recognition my the RP at its hostingsite , we may need some kind of affiliation model. If United reservations accept my openid, so do all the car rental companies, for example.



From: Andrew Arnott [mailto:andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>]
Sent: Wednesday, December 31, 2008 8:50 PM
To: Peter Williams
Cc: OpenID List
Subject: Re: [OpenID] Bug in AOL OpenID Provider implementation



Hi Peter,

I just checked out the https://cacert.at/homepw URL you mentioned.  The reason the http://nerdbank.org/rp site rejects that URL is because the HTTPS certificate is not signed by a recognized cert authority at the server hosting the site.

This doesn't actually have anything to do with the AOL issue right? (does this deserve its own thread?) I just want to make sure I'm understanding the issue you're getting at.  I'm also not familiar with this CX thing.  Is that a certificate exchange protocol that's in the works?

Thanks.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Wed, Dec 31, 2008 at 8:07 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

I tried to  use my https://cacert.at/homepw url at dotnetopenid the other day.



It works at pbwiki and openid foundation, and showed the (good news) padlock.



(If I'm a ordinary user, I'm now confused. If I get on the phone (costing me $10, and the provider $25) I'll probably understand very little of what the level 1 support person tells about trust networks, and CA CTLs. Im 58, and all I know is it worked at the openid foundation and not at dotnetopenid. Why wouldn't it?)



Anyone looked at Nat's proposal CX again, recently, while I'm ranting?



From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of Andrew Arnott
Sent: Wednesday, December 31, 2008 5:02 PM
To: OpenID List
Subject: [OpenID] Bug in AOL OpenID Provider implementation



Is there anyone on this list who works for or with AOL OpenID folks?  I have (below) a description of an interop issue with the AOL OpenID Provider that may be a bug they should look at.

Thanks.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

---------- Forwarded message ----------
From: Andrew Arnott <andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>>
Date: Wed, Dec 31, 2008 at 5:50 PM
Subject: Re: [dotnetopenid] problems with AOL today?
To: dotnetopenid at googlegroups.com<mailto:dotnetopenid at googlegroups.com>


Thanks for reporting this, Joel.  This is a bug in AOL's encoding/decoding of the return_to URL, as I detail below.  I'll forward this onto the AOL OpenID folks (as soon as I can figure out who they are) and suggest they fix this bug prompto!

As can be seen in the below log, DotNetOpenId is sending AOL a return_to URL with a twice-URL-encoded + sign as the value for the token parameter, as appropriate.  That is, the plus sign is an actual character in the (base 64 encoded) value, which must be URL encoded because it is a URL parameter.  Then since the return_to URI is itself a URL parameter, it is encoded again.

But when the auth message comes back from AOL (and only AOL has this issue, reportedly starting 12/31/08) the + sign character in the return_to URL has been decoded by AOL rather than being preserved as DotNetOpenId had written it.  As a result, the + sign is misinterpreted as a URL encoding of the space character, causing the base64 decoding operation to fail.

Analysis: AOL is decoding the return_to parameter, and not properly re-encoding it before sending it back to the RP.

2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:






















              openid.mode: checkid_setup










              openid.identity: http://openid.aol.com/webmyway






















              openid.trust_root: http://nerdbank.org/RP/










              openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB%2biV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False


























              openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D






















              openid.ns.sreg: http://openid.net/extensions/sreg/1.1










              openid.sreg.policy_url: http://nerdbank.org/RP/PrivacyPolicy.aspx






















              openid.sreg.required: gender,postcode,timezone










              openid.sreg.optional: email,country
































2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE4tB%252biV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%2fopenid.net<http://2fopenid.net>%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%2fnerdbank.org<http://2fnerdbank.org>%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry


























2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:










              ReturnUrl: /rp/MembersOnly/Default.aspx






















              token: ATjrrFUCgj1z1e2dmRTszTnE4tB iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==


























              OpenIdTextBox_UsePersistentCookie: False










              openid.mode: id_res






















              openid.identity: http://openid.aol.com/webmyway










              openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D






















              openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB+iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False


























              openid.signed: identity,return_to










              openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=






















              openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=

























--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire



On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <jnylund at yahoo.com<mailto:jnylund at yahoo.com>> wrote:

Hey, anyone else having issues with AOL openid, as of today on my site I cant use aol to login or signup, there is a problem with the token they are sending over, havent had a chance to debug yet, just wondering if anyone else has seen?

When I try using Andrews site I see same problem:

Server Error in '/RP' Application.
Invalid length for a Base-64 char array.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.FormatException: Invalid length for a Base-64 char array.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[FormatException: Invalid length for a Base-64 char array.]
  System.Convert.FromBase64String(String s) +0
  DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore store) in Token.cs:82
  DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2 query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean verifySignature) in AuthenticationResponse.cs:222
  DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in OpenIdRelyingParty.cs:294
  DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in OpenIdTextBox.cs:639
  System.Web.UI.Control.LoadRecursive() +47
  System.Web.UI.Control.LoadRecursive() +131
  System.Web.UI.Control.LoadRecursive() +131
  System.Web.UI.Control.LoadRecursive() +131
  System.Web.UI.Control.LoadRecursive() +131
  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436



thanks
Joel







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/0900af07/attachment-0002.htm>

More information about the general mailing list