[OpenID] https discovery & login for AOL at long last?
Steven Livingstone Pérez
weblivz at hotmail.com
Thu Sep 17 18:12:57 UTC 2009
Would be neat if an RP could periodically query (and store) of band an OP for a profile that could define such things and be easily extended.
steven
http://livz.org
Date: Thu, 17 Sep 2009 10:31:56 -0700
Subject: Re: [OpenID] https discovery & login for AOL at long last?
From: chris.messina at gmail.com
To: ve7jtb at ve7jtb.com
CC: weblivz at hotmail.com; openid-general at lists.openid.net
One way to address this problem is for the RP to be smart — and once a user has successfully authenticated against an HTTP URL, to detect whether an HTTPS OpenID endpoint exists at their provider and ask them to associate a "higher security" OpenID — or something (obviously not the final language, flow, or user experience)... but the point being... we already see smart RPs allowing people to associate multiple identifiers with their account — to ensure access in case one of their remote accounts goes down or is inaccessible... and simply because RPs want confirmed email addresses for spamming purposes (sigh, reality).
One approach — for the interim — could simply be for RPs to accept HTTP URLs to start and then to detect or simply "know" which OPs offer an SSL OpenID endpoint and again, offer to "link" the HTTPS account to their HTTP account.
In the future, it could be the case (perhaps), that the RP can do an "upgrade" to the scheme before initiating the OpenID redirect if they recognize what the user typed into the box...
Alternatively (and a less good UX) would be to have a checkbox beneath the OpenID button/entry field that says "Use a secure connection when available"...
Not great, but potential stopgap measures.
Chris
2009/9/17 John Bradley <ve7jtb at ve7jtb.com>
At some point we need to deal with this issue of step up authentication.
When a user with a http: URI turns up at a site with the https: scheme.
RP's are expressly forbidden from treating them as equivalent by openID 2.0.
Finding a way to allow RPs to migrate users from http to https seems a reasonable goal.
Going the other way should be precluded.
The RP at the moment is required to normalize to http if the user is not explicit.
There are a bunch of things that are leading security to be lowest common denominator.
I am hoping that some of the things in the GSA profile will get people thinking about some of the issues.
John B.
On 2009-09-17, at 12:58 PM, Steven Livingstone Pérez wrote:
I recently had this issue and decided to drop http and use https exclusively.
Inconvenience for some but solves a lot of potential pain. In addition I allow 'linking' of other OpenID's so you can use others if you wish. On my site it is now all SSL.
BUT I'm not AOL and appreciate your pain given the pain I went through.
steven
http://livz.org
> Date: Thu, 17 Sep 2009 11:52:19 -0400
> From: gffletch at aol.com
> To: peterw at tux.org
> CC: openid-general at lists.openid.net
> Subject: Re: [OpenID] https discovery & login for AOL at long last?
>
> Hi Peter,
>
> A couple of things:) We are working on supporting https identifiers and
> from a directed-identity perspective, all pair-wise pseudonymous
> "OpenIDs" will be SSL. We are also working on resolving the SSL issue
> for openid.aol.com, so that you can use
> https://openid.aol.com/identifier as a valid OpenID. I can't promise any
> time lines (normal big company stuff) but this is a goal of our ongoing
> OpenID work.
>
> We do have a "unique" problem (shared by a few other OPs) in that we
> have active users using http based OpenIDs at Relying Parties across the
> web. So we can't move to SSL only OpenIDs without breaking those
> customer's experience. I suspect that if you force all OpenIDs to be
> SSL, then a user's interaction with your site will work just fine.
>
> I have heard a couple reasonable suggestions (notably Breno from Google)
> for helping to connect an https OpenID to an http one by leveraging the
> OpenID XRDS file retrievable over SSL. There are currently no
> "standards" around this, but I believe it is worth exploring. However,
> it would mean that RPs would need to do some extra work which is
> questionable.
>
> Again, I can't promise dates, but this is on our roadmap:)
>
> Thanks,
> George
>
>
> John Bradley wrote:
> > Expect positive news from AOL.
> >
> > They have been working very hard behind the scenes.
> >
> > They have openID 2.0 RP support enabled on some of there sites.
> > They don't get proper credit for that.
> >
> > I can confirm that they are in testing for the GSA pilot as a openID
> > 2.0 OP.
> >
> > John B.
> > On 2009-09-16, at 5:27 PM, Peter Watkins wrote:
> >
> >> Wired says that the US federal governmment will soon let people
> >> log in to government Web sites with OpenID identifiers from a select
> >> few RPs, including AOL
> >> http://www.wired.com/epicenter/2009/09/feds-embrace-openid/
> >>
> >> The Wired article implies that AOL has https-only authentication
> >> enabled:
> >>
> >> "These companies have undergone a certification process designed by the
> >> Information Card Foundation, the OpenID Foundation and the federal
> >> government that guarantees certain privacy safeguards. For instance,
> >> the sites have to use SSL to handle logins"
> >>
> >> Does AOL finally have https-secured OpenID authentication? Perhaps with
> >> directed identity? The only way I know to use directed identity with AOL
> >> is via http://openid.aol.com/. That server does have a certificate
> >> installed,
> >> but the cert is for api.screenname.aol.com, and
> >> https://api.screenname.aol.com/
> >> is not a valid URL for OpenID discovery.
> >>
> >> Does this .gov news release herald a rebirth of AOL as an OpenID RP?
> >>
> >> Thanks,
> >>
> >> Peter
> >>
> >> _______________________________________________
> >> general mailing list
> >> general at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-general
> >
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
>
> --
> Chief Architect
> Identity Services, AOL
> Blog: http://practicalid.blogspot.com
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
Ready for Fall shows? Use Bing to find helpful ratings and reviews on digital tv's. Click here._______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
--
Chris Messina
Open Web Advocate
Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina
Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net
This email is: [ ] bloggable [X] ask first [ ] private
_________________________________________________________________
Bing brings you health info from trusted sources.
http://www.bing.com/search?q=pet+allergy&form=MHEINA&publ=WLHMTAG&crea=TXT_MHEINA_Health_Health_PetAllergy_1x1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090917/4f708e27/attachment.htm>
More information about the general
mailing list