[OpenID] Bug in OpenID RP implementations

[Andrew Arnott]

Eric,

I believe it is exactly the problem that Peter is facing.

Regarding the behavior you saw, Eric, DotNetOpenId doesn't ever demote https
to http (or if so it would be a bug), but it will go through *all* endpoints
listed for a given OpenID and chooses from among that list.  So if your
OpenID has multiple service endpoints listed (through an XRDS file) can you
check whether a non HTTPS OP Endpoint is among the list?

I'd very much like to know the particular OpenID you were trying it with so
I can examine the behavior if you'd care to share (perhaps off the list if
you wish).

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 12:52 PM, Eric Norman <ejnorman at doit.wisc.edu> wrote:

>
> On Jan 1, 2009, at 12:14 PM, Andrew Arnott wrote:
>
> > Because of that, the list of CAs that work with http://nerdbank.org is
> > whatever list GoDaddy happens to use (since they happen to host that
> > web site).
>
> That may be the case, but it's probably not relevant or at best
> only a part of the problem.
>
> When I tried going to nerdbank.org/rp and typing in an OpenID
> that starts with "https:", the server at nerdbank changed it
> to "http:" and used that to connect with my OP.  Other than
> the fact that I don't appreciate the weakening of security,
> it also failed and said "Login failed: The 'openid.identity'
> parameter was expected to have the value 'https:...' but had
> 'http:...' instead".
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/7318a1a8/attachment-0002.htm>