[OpenID] https discovery & login for AOL at long last?

George Fletcher gffletch at aol.com
Thu Sep 17 15:52:19 UTC 2009 

Hi Peter,

A couple of things:) We are working on supporting https identifiers and 
from a directed-identity perspective, all pair-wise pseudonymous 
"OpenIDs" will be SSL. We are also working on resolving the SSL issue 
for openid.aol.com, so that you can use 
https://openid.aol.com/identifier as a valid OpenID. I can't promise any 
time lines (normal big company stuff) but this is a goal of our ongoing 
OpenID work.

We do have a "unique" problem (shared by a few other OPs) in that we 
have active users using http based OpenIDs at Relying Parties across the 
web. So we can't move to SSL only OpenIDs without breaking those 
customer's experience. I suspect that if you force all OpenIDs to be 
SSL, then a user's interaction with your site will work just fine.

I have heard a couple reasonable suggestions (notably Breno from Google) 
for helping to connect an https OpenID to an http one by leveraging the 
OpenID XRDS file retrievable over SSL. There are currently no 
"standards" around this, but I believe it is worth exploring. However, 
it would mean that RPs would need to do some extra work which is 
questionable.

Again, I can't promise dates, but this is on our roadmap:)

Thanks,
George


John Bradley wrote:
> Expect positive news from AOL.
>
> They have been working very hard behind the scenes.
>
> They have openID 2.0 RP support enabled on some of there sites.
> They don't get proper credit for that.
>
> I can confirm that they are in testing for the GSA pilot as a openID 
> 2.0 OP.
>
> John B.
> On 2009-09-16, at 5:27 PM, Peter Watkins wrote:
>
>> Wired says that the US federal governmment will soon let people
>> log in to government Web sites with OpenID identifiers from a select
>> few RPs, including AOL
>>   http://www.wired.com/epicenter/2009/09/feds-embrace-openid/
>>
>> The Wired article implies that AOL has https-only authentication 
>> enabled:
>>
>> "These companies have undergone a certification process designed by the
>> Information Card Foundation, the OpenID Foundation and the federal
>> government that guarantees certain privacy safeguards. For instance,
>> the sites have to use SSL to handle logins"
>>
>> Does AOL finally have https-secured OpenID authentication? Perhaps with
>> directed identity? The only way I know to use directed identity with AOL
>> is via http://openid.aol.com/. That server does have a certificate 
>> installed,
>> but the cert is for api.screenname.aol.com, and 
>> https://api.screenname.aol.com/
>> is not a valid URL for OpenID discovery.
>>
>> Does this .gov news release herald a rebirth of AOL as an OpenID RP?
>>
>> Thanks,
>>
>> Peter
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>

-- 
Chief Architect
Identity Services, AOL
Blog: http://practicalid.blogspot.com

More information about the general mailing list