[OpenID] Bug in OpenID RP implementations

Andrew Arnott andrewarnott at gmail.com
Thu Jan 1 23:20:16 UTC 2009 

Eric, I notice that although your Claimed Identifier in your example is
https://ejnorman.protectnetwork.org, which is a "secure" identity page, it
contains this tag:

<link rel="openid.server" href="http://openid.protectnetwork.org/server"></link>

This means that the RP will 'securely' discover that your authenticating OP
is an 'insecure' URL and happily use it (again, unless the RP takes special
measures that are beyond what the OpenID spec mandates).  And again,
DotNetOpenId does have a RequireSsl mode that does exactly this, which would
essentially deny you the ability to log in with this Claimed Id because it
has an insecure element in the chain.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 2:18 PM, Eric Norman <ejnorman at doit.wisc.edu> wrote:

>
> On Jan 1, 2009, at 2:45 PM, Andrew Arnott wrote:
>
> > Eric,
> >
> > I believe it is exactly the problem that Peter is facing.
> >
> > Regarding the behavior you saw, Eric, DotNetOpenId doesn't ever demote
> > https to http (or if so it would be a bug), but it will go through all
> > endpoints listed for a given OpenID and chooses from among that list.
> > So if your OpenID has multiple service endpoints listed (through an
> > XRDS file) can you check whether a non HTTPS OP Endpoint is among the
> > list?
>
> The address bar said http, but I might have looked
> to quickly.  It could have been protectnetwork that
> did the demotion.
>
> > I'd very much like to know the particular OpenID you were trying it
> > with so I can examine the behavior if you'd care to share (perhaps off
> > the list if you wish).
>
> https://ejnorman.protectnetwork.org
>
> This has worked at some OpenID sites in the past.
>
> In any case, there's certainly a bug somewhere since
> the error message I quoted is complaining about
> something I never typed.
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/5070a7a5/attachment-0002.htm>

More information about the general mailing list