[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

Sat Jan 3 06:47:11 UTC 2009

dotnetOpenid accepted and processed the large assertion post from myopenid (with a largish email  address, forcing foreground communication by HTTP POST). Unlike in the SAML websso world (which has long used the same notion of auto-submit form event handlers firing on the onload event), the browser here visibly flashes "press this button... if no javascript". I'll assume this is a myopenid coding limitation, in how they formulated their javascript. It really ought not to show.

Since you folk evidently understand what myopenid does right and wrong about AX, any hints on how to now have the demo DotNetOpenID RP site request an ax attribute (that myopenid can fulfill, and whose value I can set)?

Congratulations, https://homepw.myopenid.com/. You have completed the OpenID login process.
In addition to authenticating you, your OpenID Provider may have told us something about you using the Simple Registration extension:
Nickname

Email

-----BEGIN+CERTIFICATE-----%0d%0aMIIFVzCCAz%2bgAwIBAgIDBTfsMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv%0d%0ab3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ%0d%0aQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y%0d%0adEBjYWNlcnQub3JnMB4XDTA4MDUyMDE1NTI0NVoXDTEwMDUyMDE1NTI0NVowfjEL%0d%0aMAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD%0d%0aVQQKEwtDQWNlcnQgSW5jLjEXMBUGA1UEAxMOd3d3LmNhY2VydC5vcmcxITAfBgkq%0d%0ahkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD%0d%0aggEPADCCAQoCggEBAM3iqo3YIRO2BaAEEoZ%2fUi8efBtl44PlQO71ubOvhc7lMU%2fW%0d%0aSC%2fVuw36z6O8WwvX2Lgx2gwYwJ94JvyHCAmNNQc0ohHHk7jNOeOieJKBX3kwCPnQ%0d%0aSPQJpIZwR6gcpDsblEHADjq0Qugjdn5RTAg1v65xd8Y4yoalkETgtrncTZ1fkhpg%0d%0aAVEYcx38JeLL3IHoDgTQH%2bM29XyIN2NJEnClkdoGftZlPCKEvd36T%2fkl6vrEm0Vy%0d%0aZV9orUAKG116J%2bIwn%2bqFSgiz40gtDrpz9raEyixM72DqfY%2f4Gmgs1LrN19LEPu7u%0d%0aIGvs%2fV8FqZ5twpfdctZq0iaq9fIGvWa1q9quvC0CAwEAAaOB4jCB3zAMBgNVHRMB%0d%0aAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQB%0d%0aBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEFBQcBAQQnMCUwIwYIKwYB%0d%0aBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMFcGA1UdEQRQME6CDCouY2Fj%0d%0aZXJ0Lm9yZ4IKY2FjZXJ0Lm9yZ4IMKi5jYWNlcnQubmV0ggpjYWNlcnQubmV0ggwq%0d%0aLmNhY2VydC5jb22CCmNhY2VydC5jb20wDQYJKoZIhvcNAQEFBQADggIBABjbtGob%0d%0a4GSzxFLeOEAoBl6Znt0Dk2VhsZv6IrdvcpSrhnnHvPDRXi%2bls9mwOkRT4M%2b2E3L9%0d%0aIQhMfGMveB5Nf1pfLk%2bAPCQUjVNVe7kZrxsJ18YnjqPYM3hYi3Sr96U2ixNvIGi%2b%0d%0aVaBvx1FoxHdFyKF3k2eApVWngJnCxwk%2fN4QRFP6OGeimLlPAYhw0R6SBOyPdyx3g%0d%0aL6NMDOUi9%2frz7cCNzlC8oW3Wy9VpFZh2jDTTve0JouG9%2fY8T2CFJWyrneeajecNZ%0d%0a6QLD52O2TOQRgi2Ym31J3%2brxx3Ujep85FcC4mawwweYnU6LqQ032GuWbRU9p9Oqv%0d%0aWF4ZOOnLy2ZaQdfMRBZ7dy6Dhrj8tkOjNSC4MmJDDXL0lVo0HTCo1TDVMUWIIDaK%0d%0aBZd7%2bwyoR5SXUcsuKxXGKWm9CITNFCYZttPtwtS1yH8p5YNdfhkNlr4jscWDAL2g%0d%0agLEEyRraAYjUh6Uot7mmXM2%2bIgwJX1DrS39bWghqk0gRXrkvhtx18R08dnZDJZaV%0d%0aghynZb6PSFRXYLMOqb9Uzf8%2fre6iWXwUKbzUcT1ZL4spZktfvaCUQP9YqZVYfhJ7%0d%0aXXymJqnCuXpMxzMTxbvq6zROqyRqVS%2f1hZxHhh%2fkr%2bEiNxDSkv7CJtuYVuufZkr%2b%0d%0aDBInG0zsM0C9ajuawgX3vY%2bMMbeuDTQXPcg3%0d%0a-----END+CERTIFICATE---- at rapattoni.com

FullName

Date of Birth

Gender

Male

Post Code

89436

Country

US

Language

Timezone

America/Los_Angeles

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Andrew Arnott
Sent: Friday, January 02, 2009 9:05 PM
To: Peter Watkins
Cc: Martin Atkins; OpenID List
Subject: Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

As Peter said, RPs can already do whitelists/blacklists.  And DotNetOpenId in particular makes a web.config file very easily include these whitelist/blacklists that can allow RPs to be selective about which OP endpoints they'll permit.  This config file can also enable the RequireSsl mode that I've explained earlier.

As far as a config file that modifies that web server's approved CA list, it's definitely an interesting idea.  But be aware that doing this is a privileged operation in .NET, and that makes it impossible to do any special HTTPS cert approval on shared hosting on which only partial trust is allowed to the sites that run on them.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Fri, Jan 2, 2009 at 10:10 AM, Peter Watkins <peterw at tux.org<mailto:peterw at tux.org>> wrote:
On Fri, Jan 02, 2009 at 11:08:39AM +0200, Martin Paljak wrote:

> In real life most end user software do not check for the status of a
> certificate (CRL/OCSP)
I suspect that claim is not true. IE7 on Vista and Firefox 3 default
to using OCSP -- for instance, by the time I followed the recipe for
the www.mozilla.com<http://www.mozilla.com> demo of the cert that never should've been issued,
Firefox 3's OCSP check rejected it.

> I second here the questions often raised about CA-s by Peter Williams,
> but the community has managed to subtly ignore the topic. "If there is
> a problem (which we don't believe there is) then this is for the PKI/
> TLS/HTTPS guys to fix", "Just pay to a big company for your certs",
> "Apparently we use whatever CA certificates Debian uses" are all signs
> of delegating the problem somewhere else.
And why not delegate? TLS is a bedrock security technology for current
Web business -- from a simple Yahoo storefront to millionaires accessing
their online brokerage accounts. A lot of business have a lot riding on
TLS and https, and a lot of incentive to fix any problems. And we've seen
them do just that. It's not perfect (I'm still peeved that Microsoft has
effectively blocked attempts to give TLS RSA decent forward secrecy), but
TLS is widely understood to be critically important, and people more
influential than us, and smarter than me, are working on this stuff -- the
improved OCSP support in Firefox and IE7 being a good illustration.

> In addition to "lets just do what everybody else is doing" OpenID
> could provide additional mechanisms. I once suggested having a
> separate configuration file and format for RP libraries to be able to
> configure white/blacklists and OP certificates/CA-s checksums and
> trust settings.
Nothing is stopping any RP from doing that. Shoot, that's what Microsoft's
HealthVault site has been doing for OpenID all along.

-Peter

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090102/f50bc625/attachment-0002.htm>