[OpenID] Bug in OpenID RP implementations

Peter Williams pwilliams at rapattoni.com
Thu Jan 1 21:01:08 UTC 2009 

This general topic has been confusing me for a week (being dumb). Reading the spec further helped zero (seeing as it's minimalist and abstruse)

Enter an https URL at pbwiki,  the OP (myopenid) will do its things over foreground https, but the resulting challenge screen only petitions for user auth about my http:// openid claim (which I didn't make). It sends back an positive assertion about the https:/../ form though.

Myopenid presented the https claim in its UI (over foreground https) in other RP cases - the openid foundation blog site, as I 49% recall.

Can one properly present a https claim to an OP that does not advertise an https-capable OP endpoint?


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Andrew Arnott
Sent: Thursday, January 01, 2009 12:45 PM
To: Eric Norman
Cc: OpenID List
Subject: Re: [OpenID] Bug in OpenID RP implementations

Eric,

I believe it is exactly the problem that Peter is facing.

Regarding the behavior you saw, Eric, DotNetOpenId doesn't ever demote https to http (or if so it would be a bug), but it will go through all endpoints listed for a given OpenID and chooses from among that list.  So if your OpenID has multiple service endpoints listed (through an XRDS file) can you check whether a non HTTPS OP Endpoint is among the list?

I'd very much like to know the particular OpenID you were trying it with so I can examine the behavior if you'd care to share (perhaps off the list if you wish).

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Thu, Jan 1, 2009 at 12:52 PM, Eric Norman <ejnorman at doit.wisc.edu<mailto:ejnorman at doit.wisc.edu>> wrote:

On Jan 1, 2009, at 12:14 PM, Andrew Arnott wrote:

> Because of that, the list of CAs that work with http://nerdbank.org<http://nerdbank.org/> is
> whatever list GoDaddy happens to use (since they happen to host that
> web site).
That may be the case, but it's probably not relevant or at best
only a part of the problem.

When I tried going to nerdbank.org/rp<http://nerdbank.org/rp> and typing in an OpenID
that starts with "https:", the server at nerdbank changed it
to "http:" and used that to connect with my OP.  Other than
the fact that I don't appreciate the weakening of security,
it also failed and said "Login failed: The 'openid.identity'
parameter was expected to have the value 'https:...' but had
'http:...' instead".

Eric Norman

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/b7f475c4/attachment-0002.htm>

More information about the general mailing list