[OpenID] https discovery & login for AOL at long last?

John Bradley ve7jtb at ve7jtb.com
Thu Sep 17 17:42:03 UTC 2009 

The thing is unless the RP unlinks the http version there is no  
increase in security.

A attacker just uses the insecure version connected to the account.

Guiding people to use the more secure version and removing the old is  
a challenge.

Something that  I recommended OP's do a year ago was stop issuing  
http: uri for all new accounts have the URI normalized to https via  
redirect.

That at least stops the problem from getting bigger.   At the moment  
the migration challenge gets bigger with each new user.

John B.
On 2009-09-17, at 1:31 PM, Chris Messina wrote:

> One way to address this problem is for the RP to be smart — and once  
> a user has successfully authenticated against an HTTP URL, to detect  
> whether an HTTPS OpenID endpoint exists at their provider and ask  
> them to associate a "higher security" OpenID — or something  
> (obviously not the final language, flow, or user experience)... but  
> the point being... we already see smart RPs allowing people to  
> associate multiple identifiers with their account — to ensure access  
> in case one of their remote accounts goes down or is inaccessible...  
> and simply because RPs want confirmed email addresses for spamming  
> purposes (sigh, reality).
>
> One approach — for the interim — could simply be for RPs to accept  
> HTTP URLs to start and then to detect or simply "know" which OPs  
> offer an SSL OpenID endpoint and again, offer to "link" the HTTPS  
> account to their HTTP account.
>
> In the future, it could be the case (perhaps), that the RP can do an  
> "upgrade" to the scheme before initiating the OpenID redirect if  
> they recognize what the user typed into the box...
>
> Alternatively (and a less good UX) would be to have a checkbox  
> beneath the OpenID button/entry field that says "Use a secure  
> connection when available"...
>
> Not great, but potential stopgap measures.
>
> Chris
>
>
> 2009/9/17 John Bradley <ve7jtb at ve7jtb.com>
> At some point we need to deal with this issue of step up  
> authentication.
>
> When a user with a http: URI turns up at a site with the https:  
> scheme.
>
> RP's are expressly forbidden from treating them as equivalent by  
> openID 2.0.
>
> Finding a way to allow RPs to migrate users from http to https seems  
> a reasonable goal.
>
> Going the other way should be precluded.
>
> The RP at the moment is required to normalize to http if the user is  
> not explicit.
>
> There are a bunch of things that are leading security to be lowest  
> common denominator.
>
> I am hoping that some of the things in the GSA profile will get  
> people thinking about some of the issues.
>
> John B.
>
>
> On 2009-09-17, at 12:58 PM, Steven Livingstone Pérez wrote:
>
>> I recently had this issue and decided to drop http and use https  
>> exclusively.
>>
>> Inconvenience for some but solves a lot of potential pain. In  
>> addition I allow 'linking' of other OpenID's so you can use others  
>> if you wish. On my site it is now all SSL.
>>
>> BUT I'm not AOL and appreciate your pain given the pain I went  
>> through.
>>
>> steven
>> http://livz.org
>>
>> > Date: Thu, 17 Sep 2009 11:52:19 -0400
>> > From: gffletch at aol.com
>> > To: peterw at tux.org
>> > CC: openid-general at lists.openid.net
>> > Subject: Re: [OpenID] https discovery & login for AOL at long last?
>> >
>> > Hi Peter,
>> >
>> > A couple of things:) We are working on supporting https  
>> identifiers and
>> > from a directed-identity perspective, all pair-wise pseudonymous
>> > "OpenIDs" will be SSL. We are also working on resolving the SSL  
>> issue
>> > for openid.aol.com, so that you can use
>> > https://openid.aol.com/identifier as a valid OpenID. I can't  
>> promise any
>> > time lines (normal big company stuff) but this is a goal of our  
>> ongoing
>> > OpenID work.
>> >
>> > We do have a "unique" problem (shared by a few other OPs) in that  
>> we
>> > have active users using http based OpenIDs at Relying Parties  
>> across the
>> > web. So we can't move to SSL only OpenIDs without breaking those
>> > customer's experience. I suspect that if you force all OpenIDs to  
>> be
>> > SSL, then a user's interaction with your site will work just fine.
>> >
>> > I have heard a couple reasonable suggestions (notably Breno from  
>> Google)
>> > for helping to connect an https OpenID to an http one by  
>> leveraging the
>> > OpenID XRDS file retrievable over SSL. There are currently no
>> > "standards" around this, but I believe it is worth exploring.  
>> However,
>> > it would mean that RPs would need to do some extra work which is
>> > questionable.
>> >
>> > Again, I can't promise dates, but this is on our roadmap:)
>> >
>> > Thanks,
>> > George
>> >
>> >
>> > John Bradley wrote:
>> > > Expect positive news from AOL.
>> > >
>> > > They have been working very hard behind the scenes.
>> > >
>> > > They have openID 2.0 RP support enabled on some of there sites.
>> > > They don't get proper credit for that.
>> > >
>> > > I can confirm that they are in testing for the GSA pilot as a  
>> openID
>> > > 2.0 OP.
>> > >
>> > > John B.
>> > > On 2009-09-16, at 5:27 PM, Peter Watkins wrote:
>> > >
>> > >> Wired says that the US federal governmment will soon let people
>> > >> log in to government Web sites with OpenID identifiers from a  
>> select
>> > >> few RPs, including AOL
>> > >> http://www.wired.com/epicenter/2009/09/feds-embrace-openid/
>> > >>
>> > >> The Wired article implies that AOL has https-only authentication
>> > >> enabled:
>> > >>
>> > >> "These companies have undergone a certification process  
>> designed by the
>> > >> Information Card Foundation, the OpenID Foundation and the  
>> federal
>> > >> government that guarantees certain privacy safeguards. For  
>> instance,
>> > >> the sites have to use SSL to handle logins"
>> > >>
>> > >> Does AOL finally have https-secured OpenID authentication?  
>> Perhaps with
>> > >> directed identity? The only way I know to use directed  
>> identity with AOL
>> > >> is via http://openid.aol.com/. That server does have a  
>> certificate
>> > >> installed,
>> > >> but the cert is for api.screenname.aol.com, and
>> > >> https://api.screenname.aol.com/
>> > >> is not a valid URL for OpenID discovery.
>> > >>
>> > >> Does this .gov news release herald a rebirth of AOL as an  
>> OpenID RP?
>> > >>
>> > >> Thanks,
>> > >>
>> > >> Peter
>> > >>
>> > >> _______________________________________________
>> > >> general mailing list
>> > >> general at lists.openid.net
>> > >> http://lists.openid.net/mailman/listinfo/openid-general
>> > >
>> > > _______________________________________________
>> > > general mailing list
>> > > general at lists.openid.net
>> > > http://lists.openid.net/mailman/listinfo/openid-general
>> > >
>> >
>> > --
>> > Chief Architect
>> > Identity Services, AOL
>> > Blog: http://practicalid.blogspot.com
>> >
>> >
>> > _______________________________________________
>> > general mailing list
>> > general at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-general
>>
>> Ready for Fall shows? Use Bing to find helpful ratings and reviews  
>> on digital tv's. Click  
>> here._______________________________________________
>>
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
>
> -- 
> Chris Messina
> Open Web Advocate
>
> Personal: http://factoryjoe.com
> Follow me on Twitter: http://twitter.com/chrismessina
>
> Citizen Agency: http://citizenagency.com
> Diso Project: http://diso-project.org
> OpenID Foundation: http://openid.net
>
> This email is:   [ ] bloggable    [X] ask first   [ ] private

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090917/ca3d5345/attachment-0001.htm>

More information about the general mailing list