[OpenID] Bug in OpenID RP implementations

Andrew Arnott andrewarnott at gmail.com
Fri Jan 2 00:48:25 UTC 2009 

Hi Eric,

DotNetOpenId is the .NET implementation of OpenID that is used at
nerdbank.org/rp.  And no, nerdbank.org/rp is *not* configured with
RequireSsl, although I mean to add a checkbox to the login page to allow the
user to turn the feature on for demo purposes.  And you're correct in
gathering that if that (as yet non-existent) checkbox was checked, the
authentication would never start, and you'd get a meaningful error message
stating that the auth could not be completed securely and was therefore
aborted.

Regarding the error message that you're seeing, I agree it is not very
helpful to an end user.  There is definitely room for improvement in this
area.  The only way I was able to diagnose the real problem is by reviewing
the logs that were available at http://nerdbank.org/rp/tracepage.aspx after
you had tried to authenticate.  The logs provide the kind of information
that you could send protectnetwork and expect that they could do something
with it.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 5:36 PM, Eric Norman <ejnorman at doit.wisc.edu> wrote:

>
> On Jan 1, 2009, at 5:20 PM, Andrew Arnott wrote:
>
> > Eric, I notice that although your Claimed Identifier in your example
> > is https://ejnorman.protectnetwork.org, which is a "secure" identity
> > page, it contains this tag:
> > <link rel="openid.server"
> > href="http://openid.protectnetwork.org/server"></link>
> >
> >
> > This means that the RP will 'securely' discover that your
> > authenticating OP is an 'insecure' URL and happily use it (again,
> > unless the RP takes special measures that are beyond what the OpenID
> > spec mandates).  And again, DotNetOpenId does have a RequireSsl mode
> > that does exactly this, which would essentially deny you the ability
> > to log in with this Claimed Id because it has an insecure element in
> > the chain.
>
> OK, I think I understand what you're saying.
>
> I don't know what you mean by DotNetOpenID.  But if you're
> saying that the RP that I used (nerdbank.org/rp) does the
> RequireSSL thing, then how come I was allowed to continue
> the process of authenticating to protectnetwork?
>
> And let's not forget that the error message I quoted is
> not appropriate.  If I'm supposed to talk to the
> protectnetwork OP about this problem, then sending them
> that error message  is really going to help, isn't it?
> (That was sarcasm).
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/ad2b1361/attachment-0002.htm>

More information about the general mailing list