[OpenID] Bug in OpenID RP implementations

Thu Jan 1 23:15:22 UTC 2009

Peter said: Can one properly present a https claim to an OP that does not
advertise an https-capable OP endpoint?

Absolutely.  For instance, suppose I have an OpenID provided by someop.org.
They don't do SSL so their OP endpoint obviously doesn't offer an https
endpoint and the OpenID they assigned to me is just a standard HTTP as
well.  However, I use openid delegation to actually make my Claimed
Identifier be https://blog.nerdbank.net.  I now have a Claimed Identifier
which is HTTPS, but a Provider that only does HTTP.

There is no violation of the OpenID spec in this scenario and I would fully
expect it to work properly at all RPs -- unless a given RP uses what
DotNetOpenId calls "RequireSsl" mode and requires end-to-end SSL, in which
case as soon as the HTTPS discovery on https://blog.nerdbank.net revealed
that the OP used a non-HTTPS endpoint it would fail out and refuse to let
the user log in.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire

On Thu, Jan 1, 2009 at 2:01 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

>  This general topic has been confusing me for a week (being dumb). Reading
> the spec further helped zero (seeing as it's minimalist and abstruse)
>
>
>
> Enter an https URL at pbwiki,  the OP (myopenid) will do its things over
> foreground https, but the resulting challenge screen only petitions for user
> auth about my http:// openid claim (which I didn't make). It sends back an
> positive assertion about the https:/../ form though.
>
>
>
> Myopenid presented the https claim in its UI (over foreground https) in
> other RP cases - the openid foundation blog site, as I 49% recall.
>
>
>
> Can one properly present a https claim to an OP that does not advertise an
> https-capable OP endpoint?
>
>
>
>
>
> *From:* general-bounces at openid.net [mailto:general-bounces at openid.net] *On
> Behalf Of *Andrew Arnott
> *Sent:* Thursday, January 01, 2009 12:45 PM
> *To:* Eric Norman
> *Cc:* OpenID List
> *Subject:* Re: [OpenID] Bug in OpenID RP implementations
>
>
>
> Eric,
>
>
>
> I believe it is exactly the problem that Peter is facing.
>
>
>
> Regarding the behavior you saw, Eric, DotNetOpenId doesn't ever demote
> https to http (or if so it would be a bug), but it will go through *all*endpoints listed for a given OpenID and chooses from among that list.  So if
> your OpenID has multiple service endpoints listed (through an XRDS file) can
> you check whether a non HTTPS OP Endpoint is among the list?
>
>
>
> I'd very much like to know the particular OpenID you were trying it with so
> I can examine the behavior if you'd care to share (perhaps off the list if
> you wish).
>
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>   On Thu, Jan 1, 2009 at 12:52 PM, Eric Norman <ejnorman at doit.wisc.edu>
> wrote:
>
>
> On Jan 1, 2009, at 12:14 PM, Andrew Arnott wrote:
>
> > Because of that, the list of CAs that work with http://nerdbank.org is
> > whatever list GoDaddy happens to use (since they happen to host that
> > web site).
>
> That may be the case, but it's probably not relevant or at best
> only a part of the problem.
>
> When I tried going to nerdbank.org/rp and typing in an OpenID
> that starts with "https:", the server at nerdbank changed it
> to "http:" and used that to connect with my OP.  Other than
> the fact that I don't appreciate the weakening of security,
> it also failed and said "Login failed: The 'openid.identity'
> parameter was expected to have the value 'https:...' but had
> 'http:...' instead".
>
> Eric Norman
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/2dec3a9d/attachment-0002.htm>