[OpenID] https discovery & login for AOL at long last?

John Bradley ve7jtb at ve7jtb.com
Thu Sep 17 17:16:44 UTC 2009 

At some point we need to deal with this issue of step up authentication.

When a user with a http: URI turns up at a site with the https: scheme.

RP's are expressly forbidden from treating them as equivalent by  
openID 2.0.

Finding a way to allow RPs to migrate users from http to https seems a  
reasonable goal.

Going the other way should be precluded.

The RP at the moment is required to normalize to http if the user is  
not explicit.

There are a bunch of things that are leading security to be lowest  
common denominator.

I am hoping that some of the things in the GSA profile will get people  
thinking about some of the issues.

John B.


On 2009-09-17, at 12:58 PM, Steven Livingstone Pérez wrote:

> I recently had this issue and decided to drop http and use https  
> exclusively.
>
> Inconvenience for some but solves a lot of potential pain. In  
> addition I allow 'linking' of other OpenID's so you can use others  
> if you wish. On my site it is now all SSL.
>
> BUT I'm not AOL and appreciate your pain given the pain I went  
> through.
>
> steven
> http://livz.org
>
> > Date: Thu, 17 Sep 2009 11:52:19 -0400
> > From: gffletch at aol.com
> > To: peterw at tux.org
> > CC: openid-general at lists.openid.net
> > Subject: Re: [OpenID] https discovery & login for AOL at long last?
> >
> > Hi Peter,
> >
> > A couple of things:) We are working on supporting https  
> identifiers and
> > from a directed-identity perspective, all pair-wise pseudonymous
> > "OpenIDs" will be SSL. We are also working on resolving the SSL  
> issue
> > for openid.aol.com, so that you can use
> > https://openid.aol.com/identifier as a valid OpenID. I can't  
> promise any
> > time lines (normal big company stuff) but this is a goal of our  
> ongoing
> > OpenID work.
> >
> > We do have a "unique" problem (shared by a few other OPs) in that we
> > have active users using http based OpenIDs at Relying Parties  
> across the
> > web. So we can't move to SSL only OpenIDs without breaking those
> > customer's experience. I suspect that if you force all OpenIDs to be
> > SSL, then a user's interaction with your site will work just fine.
> >
> > I have heard a couple reasonable suggestions (notably Breno from  
> Google)
> > for helping to connect an https OpenID to an http one by  
> leveraging the
> > OpenID XRDS file retrievable over SSL. There are currently no
> > "standards" around this, but I believe it is worth exploring.  
> However,
> > it would mean that RPs would need to do some extra work which is
> > questionable.
> >
> > Again, I can't promise dates, but this is on our roadmap:)
> >
> > Thanks,
> > George
> >
> >
> > John Bradley wrote:
> > > Expect positive news from AOL.
> > >
> > > They have been working very hard behind the scenes.
> > >
> > > They have openID 2.0 RP support enabled on some of there sites.
> > > They don't get proper credit for that.
> > >
> > > I can confirm that they are in testing for the GSA pilot as a  
> openID
> > > 2.0 OP.
> > >
> > > John B.
> > > On 2009-09-16, at 5:27 PM, Peter Watkins wrote:
> > >
> > >> Wired says that the US federal governmment will soon let people
> > >> log in to government Web sites with OpenID identifiers from a  
> select
> > >> few RPs, including AOL
> > >> http://www.wired.com/epicenter/2009/09/feds-embrace-openid/
> > >>
> > >> The Wired article implies that AOL has https-only authentication
> > >> enabled:
> > >>
> > >> "These companies have undergone a certification process  
> designed by the
> > >> Information Card Foundation, the OpenID Foundation and the  
> federal
> > >> government that guarantees certain privacy safeguards. For  
> instance,
> > >> the sites have to use SSL to handle logins"
> > >>
> > >> Does AOL finally have https-secured OpenID authentication?  
> Perhaps with
> > >> directed identity? The only way I know to use directed identity  
> with AOL
> > >> is via http://openid.aol.com/. That server does have a  
> certificate
> > >> installed,
> > >> but the cert is for api.screenname.aol.com, and
> > >> https://api.screenname.aol.com/
> > >> is not a valid URL for OpenID discovery.
> > >>
> > >> Does this .gov news release herald a rebirth of AOL as an  
> OpenID RP?
> > >>
> > >> Thanks,
> > >>
> > >> Peter
> > >>
> > >> _______________________________________________
> > >> general mailing list
> > >> general at lists.openid.net
> > >> http://lists.openid.net/mailman/listinfo/openid-general
> > >
> > > _______________________________________________
> > > general mailing list
> > > general at lists.openid.net
> > > http://lists.openid.net/mailman/listinfo/openid-general
> > >
> >
> > --
> > Chief Architect
> > Identity Services, AOL
> > Blog: http://practicalid.blogspot.com
> >
> >
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
>
> Ready for Fall shows? Use Bing to find helpful ratings and reviews  
> on digital tv's. Click  
> here._______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090917/8fe8ab4f/attachment-0001.htm>

More information about the general mailing list