[OpenID] Bug in OpenID RP implementations
Andrew Arnott
andrewarnott at gmail.com
Thu Jan 1 18:14:52 UTC 2009
As might already be clear, but I'll just rephrase just to be sure it clear
to everyone, DotNetOpenId does not itself have a list of CAs it trusts: it's
entirely up to the Windows server that hosts the web site that uses it.
Because of that, the list of CAs that work with http://nerdbank.org is
whatever list GoDaddy happens to use (since they happen to host that web
site). I don't have any reason to believe that GoDaddy has customized their
list of CAs, so I imagine if you look at any fresh install of a Windows
Server and run "certmgr" (I think is the command) you can see the list of
trusted CAs there, and that will probably be a good bet that most browsers
and server have at least that list as a starting point.
In general the easiest way to see if you've got a cert signed by a
well-known CA, assuming you haven't added CAs to your own computer's list,
if your browser can navigate to a given HTTPS URL without displaying a cert
warning then you probably have a good one.
Peter, your URL in particular (https://cacert.at/homepw) generates a cert
warning in my browser, which is a standard Windows desktop computer. This
suggests to me that you probably bought your HTTPS cert from some
lesser-known discount CA. I suggest you get a new one. You can get certs
that are recognized by virtually everyone for around $15/year, so I don't
think there's any reason to get a cheaper one if it cuts off your audience,
and in this case yourself from some RPs.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Thu, Jan 1, 2009 at 9:38 AM, Peter Williams <pwilliams at rapattoni.com>wrote:
>
>
> So, what I am supposed to do to figure which https CAs works at nerdbank's
> ISP? This limits which https openid I can buy!
>
>
>
> I supposed I could trawl through the list in Mozilla, alphabetically, and
> pay $100 each time, and see which ones Nerdbank accepts (but Plaxo doesn't,
> but AOL does, but…BlogSpot doesnt)
>
>
>
> Nerdbank is just one of 26,000 openid-accepting RP sites – all doing
> https discovery – that I could have picked on, note.
>
>
>
>
>
>
>
>
>
> I suppose the next openid trial should be to go back to XRI. I half recall
> I one time had an XRI something like *freeid*lockbox which could be made to
> actually do a 30x redirect. Let's see what happens if I put
> https://cacert.at/homepw in its redirector.
>
>
>
> Given the semantics of HXRI, isn't the XRI/XDI authority endorsing the
> redirect URLs it introduces, in some authorization/control sense?
>
>
>
> In the native trusted resolution mode of XRI Resolution 2, perhaps the
> signed assertion should be sending back to the resolver library the certid
> of the SSL authority it advises some particular affiliate network to
> respect, when using those redirects. I.e. the CA chain its willing to
> validate.
>
>
>
> CX could do the same kind of thing, of course: make openid endpoints that
> are themselves proxies for XRI trusted resolution mode supping affiliate
> statements to the CX consumers.
>
>
>
>
>
> *From:* Andrew Arnott [mailto:andrewarnott at gmail.com]
> *Sent:* Thursday, January 01, 2009 6:39 AM
> *To:* Peter Williams
> *Cc:* OpenID List
> *Subject:* Re: Bug in OpenID RP implementations
>
>
>
> I don't think we need a federation built up around trusting certificates.
> We already have the certificate authority (CA) model. I think to get your
> OpenID working everywhere, you need everyone to start trusting the CA that
> signed your HTTPS cert, or you need to get a new HTTPS cert that is signed
> by a more well-known CA (the latter being easier, of course).
>
> As far as the sites you listed that already accept it, either they happen
> to trust your CA already, or they don't verify that the CA is in a trusted
> list at all, which is actually quite insecure IMO.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
> On Wed, Dec 31, 2008 at 10:57 PM, Peter Williams <pwilliams at rapattoni.com>
> wrote:
>
> I don't know that the AOL protocol bug is, to be honest. I did wonder (5%
> fidelity) given the common AOL relationship if it was the same as mine,
> which really showed up with an AOL-related RP (mapquest) last week – when an
> AOL login page showed up , with some bizarre (obviously buggy) formatting,
> once I pointed the mapquest RP to my own OP (myopenid) -- via that Austrian
> URL.
>
>
>
> In general :-
>
> AOL rejects my .at URL (rather bizarrely, initiated from mapquest).
> Nerdbank rejects it. Plaxo rejects it. Pbwiki accepts it. Foundation
> membership accepts it. Foundation blog accepts it..
>
>
>
> Is this a bug? Or just a feature of openid?
>
>
>
> As a user I think I expect "Foundation-related" RPs to be in some kind of
> network – call it an "affiliation" perhaps. What the foundation accepts, all
> its "peers RP" accept – including that stuff about CAs.
>
> What Rapattoni accepts, perhaps other US realty sites accept.
>
>
>
> I don't know really know what the CX proposal contemplates, either.
> Hopefully it can make my .at openid work at AOL/mapquest. It may have to
> address the CA stuff. Rather than some happenstance recognition my the RP at
> its hostingsite , we may need some kind of affiliation model. If United
> reservations accept my openid, so do all the car rental companies, for
> example.
>
>
>
> *From:* Andrew Arnott [mailto:andrewarnott at gmail.com]
> *Sent:* Wednesday, December 31, 2008 8:50 PM
> *To:* Peter Williams
> *Cc:* OpenID List
> *Subject:* Re: [OpenID] Bug in AOL OpenID Provider implementation
>
>
>
> Hi Peter,
>
> I just checked out the https://cacert.at/homepw URL you mentioned. The
> reason the http://nerdbank.org/rp site rejects that URL is because the
> HTTPS certificate is not signed by a recognized cert authority at the server
> hosting the site.
>
> This doesn't actually have anything to do with the AOL issue right? (does
> this deserve its own thread?) I just want to make sure I'm understanding the
> issue you're getting at. I'm also not familiar with this CX thing. Is that
> a certificate exchange protocol that's in the works?
>
> Thanks.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
> On Wed, Dec 31, 2008 at 8:07 PM, Peter Williams <pwilliams at rapattoni.com>
> wrote:
>
> I tried to use my https://cacert.at/homepw url at dotnetopenid the other
> day.
>
>
>
> It works at pbwiki and openid foundation, and showed the (good news)
> padlock.
>
>
>
> (If I'm a ordinary user, I'm now confused. If I get on the phone (costing
> me $10, and the provider $25) I'll probably understand very little of what
> the level 1 support person tells about trust networks, and CA CTLs. Im 58,
> and all I know is it worked at the openid foundation and not at
> dotnetopenid. Why wouldn't it?)
>
>
>
> Anyone looked at Nat's proposal CX again, recently, while I'm ranting?
>
>
>
> *From:* general-bounces at openid.net [mailto:general-bounces at openid.net] *On
> Behalf Of *Andrew Arnott
> *Sent:* Wednesday, December 31, 2008 5:02 PM
> *To:* OpenID List
> *Subject:* [OpenID] Bug in AOL OpenID Provider implementation
>
>
>
> Is there anyone on this list who works for or with AOL OpenID folks? I
> have (below) a description of an interop issue with the AOL OpenID Provider
> that may be a bug they should look at.
>
> Thanks.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
> ---------- Forwarded message ----------
> From: *Andrew Arnott* <andrewarnott at gmail.com>
> Date: Wed, Dec 31, 2008 at 5:50 PM
> Subject: Re: [dotnetopenid] problems with AOL today?
> To: dotnetopenid at googlegroups.com
>
>
> Thanks for reporting this, Joel. This is a bug in AOL's encoding/decoding
> of the return_to URL, as I detail below. I'll forward this onto the AOL
> OpenID folks (as soon as I can figure out who they are) and suggest they fix
> this bug prompto!
>
> As can be seen in the below log, DotNetOpenId is sending AOL a return_to
> URL with a twice-URL-encoded + sign as the value for the token parameter, as
> appropriate. That is, the plus sign is an actual character in the (base 64
> encoded) value, which must be URL encoded because it is a URL parameter.
> Then since the return_to URI is itself a URL parameter, it is encoded
> again.
>
> But when the auth message comes back from AOL (and only AOL has this issue,
> reportedly starting 12/31/08) the + sign character in the return_to URL has
> been decoded by AOL rather than being preserved as DotNetOpenId had written
> it. As a result, the + sign is misinterpreted as a URL encoding of the
> space character, causing the base64 decoding operation to fail.
>
> *Analysis: AOL is decoding the return_to parameter, and not properly
> re-encoding it before sending it back to the RP.*
>
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:
>
>
>
>
>
>
>
>
>
> openid.mode: checkid_setup
>
>
>
> openid.identity: http://openid.aol.com/webmyway
>
>
>
>
>
>
>
>
>
> openid.trust_root: http://nerdbank.org/RP/
>
>
>
> openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB*%2b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False
>
>
>
>
>
>
>
>
>
>
>
>
>
> openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D
>
>
>
>
>
>
>
>
>
> openid.ns.sreg: http://openid.net/extensions/sreg/1.1
>
>
>
> openid.sreg.policy_url: http://nerdbank.org/RP/PrivacyPolicy.aspx
>
>
>
>
>
>
>
>
>
> openid.sreg.required: gender,postcode,timezone
>
>
>
> openid.sreg.optional: email,country
>
>
>
>
>
>
>
>
>
>
>
>
>
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE4tB*%252b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%2fopenid.net%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%2fnerdbank.org%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry
>
>
>
>
>
>
>
>
>
>
>
>
>
> 2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:
>
>
>
> ReturnUrl: /rp/MembersOnly/Default.aspx
>
>
>
>
>
>
>
>
>
> token: ATjrrFUCgj1z1e2dmRTszTnE4tB iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==
>
>
>
>
>
>
>
>
>
>
>
>
>
> OpenIdTextBox_UsePersistentCookie: False
>
>
>
> openid.mode: id_res
>
>
>
>
>
>
>
>
>
> openid.identity: http://openid.aol.com/webmyway
>
>
>
> openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D
>
>
>
>
>
>
>
>
>
> openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB*+*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False
>
>
>
>
>
>
>
>
>
>
>
>
>
> openid.signed: identity,return_to
>
>
>
> openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=
>
>
>
>
>
>
>
>
>
> openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=
>
>
>
>
>
>
>
>
>
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>
>
> On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <jnylund at yahoo.com> wrote:
>
>
> Hey, anyone else having issues with AOL openid, as of today on my site I
> cant use aol to login or signup, there is a problem with the token they are
> sending over, havent had a chance to debug yet, just wondering if anyone
> else has seen?
>
> When I try using Andrews site I see same problem:
>
> Server Error in '/RP' Application.
> Invalid length for a Base-64 char array.
> Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about the error and where it originated in the code.
>
> Exception Details: System.FormatException: Invalid length for a Base-64
> char array.
>
> Source Error:
>
> An unhandled exception was generated during the execution of the current
> web request. Information regarding the origin and location of the exception
> can be identified using the exception stack trace below.
>
> Stack Trace:
>
> [FormatException: Invalid length for a Base-64 char array.]
> System.Convert.FromBase64String(String s) +0
> DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
> store) in Token.cs:82
> DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
> query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
> verifySignature) in AuthenticationResponse.cs:222
> DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
> OpenIdRelyingParty.cs:294
> DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
> OpenIdTextBox.cs:639
> System.Web.UI.Control.LoadRecursive() +47
> System.Web.UI.Control.LoadRecursive() +131
> System.Web.UI.Control.LoadRecursive() +131
> System.Web.UI.Control.LoadRecursive() +131
> System.Web.UI.Control.LoadRecursive() +131
> System.Web.UI.Page.ProcessRequestMain(Boolean
> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436
>
>
>
> thanks
> Joel
>
>
>
>
>
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/13b0b2c1/attachment-0002.htm>
More information about the general
mailing list