[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

[Peter Watkins]

Can't you "just" add the CAs to trusted roots for the Windows account
that the asp.net app runs as? I supposed it'd be tougher for folks
using integrated auth & impersonation, but I also expect most asp.net
webapps doing OpenID auth aren't using impersonation. Similarly, I'd
expect to be able to remove CA certs from the asp.net webapp user's
profile in order to shorten the CA whitelist.

I don't know how tough it is to edit the root certs for the profiles of
app pool-type accounts, and hope you'll forgive my not firing up
Studio on a Saturday night to see if there's an obvious API. :-)

On *nix it's usually pretty straightforward -- find the keystore 
holding root certs and manipulate it via OpenSSL, Java keytool, 
or whatever app is appropriate for the environment. Is it not the
same in Windows?

-Peter

On Sat, Jan 03, 2009 at 03:24:37PM -0800, Andrew Arnott wrote:
> Definitely some interesting thoughts in there.
> I'll add one more: while it makes a sensible default for Microsoft to cause
> .NET connections to HTTPS servers without a signed cert by a known good CA
> to fail, it doesn't seem like it should require the whole machine to trust
> the individual web site if that web site wishes to go ahead and make a
> connection.  Crying out loud: if a partial trust web site can initiate an
> HTTP connection to a random server (which it can, with GoDaddy's small
> deviation to Medium Trust), why couldn't it also open an HTTPS connection in
> order to encrypt the traffic, and decide to be its own judge on the validity
> of that certificate?
> 
> I'm going to poke around Microsoft and see if I can't get this policy
> changed so that .NET clients can approve of these certs signed by
> lesser-known CAs.