[OpenID] AOL, directed identity, and https?
George Fletcher
gffletch at aol.com
Fri Jun 11 21:02:36 UTC 2010
Hi Peter,
AOL supports two types of identifiers...
1. opaque pseudonymous identifiers (as required by the US Government
ICAM profile). These identifiers are always HTTPS identifiers and can be
requested by specifying the PAPE policy "
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier".
This is described in section 3.3.1.
2. Public correlatable identifiers. Unfortunately, these are still HTTP
and they will have to stay that way until there is a way to upgrade HTTP
OpenIDs to HTTPS OpenIDs. I have a plan for AOL, but unless all RPs
agree to implement the flow (described in a session at IIW[1]), AOL
users will lose all their data at the RP because an HTTP OpenID does NOT
equal an HTTPS OpenID.
So, if you currently have no AOL users at your RP, then if you use the
PAPE policy for pseudonymous identifiers, you will have a complete path
over HTTPS.
Also, XRDS discovery works for www.aol.com which is a little easier than
"https://api.screenname.aol.com/auth" :)
Feel free to contact me off-list if you need any specific details.
Thanks,
George
[1] http://iiw.idcommons.net/Migrating_from_HTTP_to_HTTPS_OpenID
On 6/11/10 4:25 PM, Peter Watkins wrote:
> It's been 9 months since we saw this headline:
>
> Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom,
> Citi, Privo, Wave Systems Pilot Open Identity for Open Government
>
> (http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government-2/)
>
> and I understood that one of the US Government's ICAM
> requirements for OpenID OPs was to use 100% https. Last month
> I checked AOL again and it is *very* close to providing what
> I expected -- I can use https://api.screenname.aol.com/auth/
> for a directed identity login with AOL. But the final identifiers
> are http:// URLs ("https://api.screenname.aol.com/auth/screenname"
> or "https://api.screenname.aol.com/auth/biglongrandomstringhere").
> Is this AOL's final plan, or will they move to using https:
> URIs for individual identifiers?
>
> As far as I know, Google and Yahoo! are still the only really
> big OPs that offer 100% https directed identity logins. This does
> simplify our NASCAR RP login page, but I'm disappointed not to be
> able to offer AOL and Windows Live... are there other big players
> whose logos I should consider adding, OPs with 100% https directed
> identity solutions in place now?
>
> Thanks,
>
> Peter
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
--
Chief Architect
Identity Services Engineering
AOL Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100611/800d42cd/attachment.html>
More information about the general
mailing list