[OpenID] Trying to verify that my OpenID is valid

Peter Williams pwilliams at rapattoni.com
Wed Jan 14 11:39:08 UTC 2009 

And w hat is "proper" use of https in openid discovery?

Should a conforming OP doing SP discovery by pulling the XRDS from an https endpoint be able to talk to an INDEPENDENT OCSP server that gives reputation information on the server certs supplied?

In the "auto-connect" metadata model of Ping Identity (which is like a polished version of openid's SP/OP discovery), metadata very similar to XRDS  is obtained from (https) URLs bound (by websso switch configuration) to the domain name of the email identifiers users enter at RPs. (This is similar to how openiders enter URls/XRIs).

To each websso-switch registered root cert (e.g. the server cert from RapidSSL that is added to the switch's root store) the switch administrator configures a URL pointing to the reputation/validity server operated by the SSO domain operator (not the CA/PKI, note). During https cert processing, the switch uses the IETF's OCSP protocol, enabling  the websso switch to determine the reputation of the cert, as adjuged by the SSO trust network.

This all works quite nicely with RPs that are doing SSL virtual hosting. Depending on which trust network (OP->RP->OAUTH-SP) the RPs and SPs are operating under, the RP component of an AC or SP would supply a different SSL server cert ...pointing to a  different validation/reputation server for that AC->SPs trust network.

OpenID could standardize the kind of thing above, now - since it's all standard (but professional grade) https. We can't just punt to whatever some library maker in Debian did, though.


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Nat Sakimura
Sent: Tuesday, January 13, 2009 11:12 PM
To: Dan Lyke
Cc: general at openid.net
Subject: Re: [OpenID] Trying to verify that my OpenID is valid

I'd fully support that.

I was almost going to do the same for OpenID Japan.
(Also testing for proper use of https etc.)

=nat
On Wed, Jan 14, 2009 at 12:12 PM, Dan Lyke <danlyke at flutterby.com<mailto:danlyke at flutterby.com>> wrote:
On Tue, 13 Jan 2009 18:31:08 -0800
Martin Atkins <mart at degeneration.co.uk<mailto:mart at degeneration.co.uk>> wrote:
> Assuming we actually have some tests to host, this is a great idea.
>
> However, I'm not sure that we do, do we?
Some time a few years ago I wrote a pretty comprehensive YADIS test,
indirectly for VeriSign. I'll see if I can track down the legal state
of that.

Dan
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general



--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090114/ce86ca41/attachment-0002.htm>

More information about the general mailing list