[OpenID] [OpenID board] Members Login broken

Peter Williams pwilliams at rapattoni.com
Mon Jan 26 16:47:53 UTC 2009 

I think this belongs in the UI arena, to be honest. The underlying issues are not easily solvable, without a strong focus on trust models in the TX/CS WG (that probably still has not been recognized). However, some UI guidance might "do for now".

Just as folks are conceiving of the need to impose OP standards on UI, so there may need to be RP standards. I can see this being worth time to writeup if folks agree that UI design is as the place where the issues SHOULD be addressed (somehow), pending CS/TX outputs.

Basically

If a user applies a vanity URL which the consumer now rejects (because of SSL trust issues), the only notice the user gets today from the average consumer site is "the openid/OP is not valid". There is little to tell the user...that it's because his/her websites cert has expired/revoked/compromised etc or the CA used by that site  is not on the consumer's trust list (or it was on the trust list, but is no longer...in what may the Eddy issue). If the same user was to now use an OP-provisioned openid directly at the same RP without delegation and  it works at that consumer site.... its going to very confusing to the user.

Do we really want to go down the route of formally incorporating self-signed SSl certs of vanity delegation endpoints into the discovery model of openid? Personally, Id like that - as it address the core issue frontally: let users register using some means (e.g. TX/CX/AX/other) their own root-cert CTL for SSL at each consumer, which then drives the SSL-component of discovery per the _user's_ own trust model. This is essentially what I was recommending to Andrew, last month. I think it fits the UCI model perfectly, but clearly undermines "branded OP" business models.


> -----Original Message-----
> From: chris.messina at gmail.com [mailto:chris.messina at gmail.com]
> Sent: Monday, January 26, 2009 8:33 AM
> To: Peter Williams
> Cc: sappenin at gmail.com; general at openid.net
> Subject: Re: [OpenID] [OpenID board] Members Login broken
>
> I don't see how this is unique to OpenID. It seems like the model of
> SSL certs at work.
>
> Perhaps, Peter, you could write up the issues that might occur when
> using self-signed or other SSL-protected OpenIDs and how you recommend
> addressing them. This should be a document on the wiki that we can add
> to over time, with real world advice as these issues manifest, as
> surely they will.
>
> Chris
>
> On 1/26/09, Peter Williams <pwilliams at rapattoni.com> wrote:
> > I'll hazard a guess he used one from his own firm:
> http://www.startcom.org
> >
> > Be interesting to discover if a "trust issue" is what underlies the
> sudden
> > inability to interwork.
> >
> > More generally, users of vanity URL may encounter this "suddent
> cessation of
> > inteworking issue" quite often, given the nature of the consumer-
> initiated
> > discovery process used by openid. There, the RP may reject the SSL
> cert of
> > the vanity site, assuming as per good practice it follows up and
> check if
> > the CA has issued a revocation notice. This revocation will stop
> discovery,
> > and probably manifest to the user as "RP cannot use OP/openid", even
> though
> > probably the certs at the delegates OPs are fine.
> >
> > Lots of realworld usability issues...to work through... due to
> > https/cert-based revocation and compromise recovery ...particularly
> in the
> > delegation model of discovery.
> >
> >> -----Original Message-----
> >> From: chris.messina at gmail.com [mailto:chris.messina at gmail.com]
> >> Sent: Monday, January 26, 2009 8:10 AM
> >> To: Peter Williams
> >> Cc: sappenin at gmail.com; general at openid.net
> >> Subject: Re: [OpenID] [OpenID board] Members Login broken
> >>
> >> Which OP is Eddy using? What did he enter into the login box?
> >>
> >> I don't have any update on open sourcing the voting software; maybe
> >> folks from the voting committee do?
> >>
> >> Chris
> >>
> >> On 1/26/09, Peter Williams <pwilliams at rapattoni.com> wrote:
> >> > One should determine why Eddy's OP suddenly ceased
> interoperability;
> >> those
> >> > members who use his openid service to access their membership
> >> benefits have
> >> > lost access. This is presumably a high priority matter for the
> >> executive,
> >> > seeing as subscriber paid for benefits that are presumably not now
> >> being
> >> > delivered. (Eddy's case is always interesting, because it forces
> >> policy and
> >> > practices issues into the open.)
> >> >
> >> > More generally, how are we doing on announcing the plan for
> releasing
> >> the
> >> > (non) open source code of the voting software?
> >> >
> >> > From: general-bounces at openid.net [mailto:general-
> bounces at openid.net]
> >> On
> >> > Behalf Of David Fuelling
> >> > Sent: Saturday, January 24, 2009 6:29 PM
> >> > To: board at openid.net
> >> > Cc: general at openid.net
> >> > Subject: Re: [OpenID] [OpenID board] Members Login broken
> >> >
> >> > Member Login is working for me at present.
> >> >
> >> > Also, I vote that we keep RPX if it makes financial sense to do
> so.
> >> >
> >> > RPX works (Eddy's case as an exception), and when RPX doesn't work
> --
> >> > there's somebody whose job it is to only worry about RPX.  Case in
> >> point, if
> >> > this was an RPX issue, then it wasn't an issue for very long,
> because
> >> > somebody was on top of it, and fixed it.
> >> >
> >> > IMHO, the foundation has other things to worry about than making
> sure
> >> the
> >> > website technology is working properly.  We should be paying
> people
> >> to do
> >> > that for core/key technology where volunteer help is either too
> slow,
> >> or
> >> > non-existent.
> >> >
> >> > Let's let the OpenID community members concentrate on spec-
> writing.
> >> >
> >> > My $0.02.
> >> >
> >> > david
> >> > On Sun, Jan 25, 2009 at 12:47 AM, Eddy Nigg (StartCom Ltd.)
> >> > <eddy_nigg at startcom.org<mailto:eddy_nigg at startcom.org>> wrote:
> >> > Members Login seems to be broken again, at least for me:
> >> >
> >> > https://openid.net/foundation/members/members returns
> >> >
> >> > "There was an error looking up your OpenID"
> >> >
> >> > ...besides that, I thought that we are giving up on RPX once the
> >> votes for
> >> > the board are over. What happened with that?
> >> > --
> >> > Regards
> >> >
> >> >
> >> >
> >> > Signer:
> >> >
> >> > Eddy Nigg, StartCom Ltd.<http://www.startcom.org>
> >> >
> >> > Jabber:
> >> >
> >> > startcom at startcom.org
> >> >
> >> > Blog:
> >> >
> >> > Join the Revolution!<http://blog.startcom.org>
> >> >
> >> > Phone:
> >> >
> >> > +1.213.341.0390
> >> >
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > board mailing list
> >> > board at openid.net<mailto:board at openid.net>
> >> > http://openid.net/mailman/listinfo/board
> >> >
> >> >
> >>
> >>
> >> --
> >> Chris Messina
> >> Citizen-Participant &
> >>   Open Web Advocate-at-Large
> >>
> >> factoryjoe.com # diso-project.org
> >> citizenagency.com # vidoop.com
> >> This email is:   [ ] bloggable    [X] ask first   [ ] private
> >
>
>
> --
> Chris Messina
> Citizen-Participant &
>   Open Web Advocate-at-Large
>
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list