[OpenID] Bug in OpenID RP implementations
Eric Norman
ejnorman at doit.wisc.edu
Fri Jan 2 00:36:28 UTC 2009
On Jan 1, 2009, at 5:20 PM, Andrew Arnott wrote:
> Eric, I notice that although your Claimed Identifier in your example
> is https://ejnorman.protectnetwork.org, which is a "secure" identity
> page, it contains this tag:
> <link rel="openid.server"
> href="http://openid.protectnetwork.org/server"></link>
>
>
> This means that the RP will 'securely' discover that your
> authenticating OP is an 'insecure' URL and happily use it (again,
> unless the RP takes special measures that are beyond what the OpenID
> spec mandates). And again, DotNetOpenId does have a RequireSsl mode
> that does exactly this, which would essentially deny you the ability
> to log in with this Claimed Id because it has an insecure element in
> the chain.
OK, I think I understand what you're saying.
I don't know what you mean by DotNetOpenID. But if you're
saying that the RP that I used (nerdbank.org/rp) does the
RequireSSL thing, then how come I was allowed to continue
the process of authenticating to protectnetwork?
And let's not forget that the error message I quoted is
not appropriate. If I'm supposed to talk to the
protectnetwork OP about this problem, then sending them
that error message is really going to help, isn't it?
(That was sarcasm).
Eric Norman
More information about the general
mailing list