[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Andrew Arnott
andrewarnott at gmail.com
Sun Jan 4 03:05:32 UTC 2009
On Sat, Jan 3, 2009 at 4:34 PM, Peter Watkins <peterw at tux.org> wrote:
>
> Can't you "just" add the CAs to trusted roots for the Windows account
> that the asp.net app runs as?
Not while that ASP.NET app is running with medium trust.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Sat, Jan 3, 2009 at 4:34 PM, Peter Watkins <peterw at tux.org> wrote:
>
> Can't you "just" add the CAs to trusted roots for the Windows account
> that the asp.net app runs as? I supposed it'd be tougher for folks
> using integrated auth & impersonation, but I also expect most asp.net
> webapps doing OpenID auth aren't using impersonation. Similarly, I'd
> expect to be able to remove CA certs from the asp.net webapp user's
> profile in order to shorten the CA whitelist.
>
> I don't know how tough it is to edit the root certs for the profiles of
> app pool-type accounts, and hope you'll forgive my not firing up
> Studio on a Saturday night to see if there's an obvious API. :-)
>
> On *nix it's usually pretty straightforward -- find the keystore
> holding root certs and manipulate it via OpenSSL, Java keytool,
> or whatever app is appropriate for the environment. Is it not the
> same in Windows?
>
> -Peter
>
> On Sat, Jan 03, 2009 at 03:24:37PM -0800, Andrew Arnott wrote:
> > Definitely some interesting thoughts in there.
> > I'll add one more: while it makes a sensible default for Microsoft to
> cause
> > .NET connections to HTTPS servers without a signed cert by a known good
> CA
> > to fail, it doesn't seem like it should require the whole machine to
> trust
> > the individual web site if that web site wishes to go ahead and make a
> > connection. Crying out loud: if a partial trust web site can initiate an
> > HTTP connection to a random server (which it can, with GoDaddy's small
> > deviation to Medium Trust), why couldn't it also open an HTTPS connection
> in
> > order to encrypt the traffic, and decide to be its own judge on the
> validity
> > of that certificate?
> >
> > I'm going to poke around Microsoft and see if I can't get this policy
> > changed so that .NET clients can approve of these certs signed by
> > lesser-known CAs.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090103/45f846a9/attachment-0002.htm>
More information about the general
mailing list