<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I tried to use my https://cacert.at/homepw url at
dotnetopenid the other day. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It works at pbwiki and openid foundation, and showed the (good news)
padlock.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>(If I’m a ordinary user, I’m now confused. If I get
on the phone (costing me $10, and the provider $25) I’ll probably
understand very little of what the level 1 support person tells about trust
networks, and CA CTLs. Im 58, and all I know is it worked at the openid
foundation and not at dotnetopenid. Why wouldn’t it?)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Anyone looked at Nat’s proposal CX again, recently, while
I’m ranting?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Wednesday, December 31, 2008 5:02 PM<br>
<b>To:</b> OpenID List<br>
<b>Subject:</b> [OpenID] Bug in AOL OpenID Provider implementation<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Is there anyone on this list
who works for or with AOL OpenID folks? I have (below) a description of
an interop issue with the AOL OpenID Provider that may be a bug they should
look at.<br>
<br>
Thanks.<br>
<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>---------- Forwarded message ----------<br>
From: <b>Andrew Arnott</b> <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>><br>
Date: Wed, Dec 31, 2008 at 5:50 PM<br>
Subject: Re: [dotnetopenid] problems with AOL today?<br>
To: <a href="mailto:dotnetopenid@googlegroups.com">dotnetopenid@googlegroups.com</a><br>
<br>
<br>
Thanks for reporting this, Joel. This is a bug in AOL's encoding/decoding
of the return_to URL, as I detail below. I'll forward this onto the AOL
OpenID folks (as soon as I can figure out who they are) and suggest they fix
this bug prompto!<br>
<br>
As can be seen in the below log, DotNetOpenId is sending AOL a return_to URL
with a twice-URL-encoded + sign as the value for the token parameter, as
appropriate. That is, the plus sign is an actual character in the (base
64 encoded) value, which must be URL encoded because it is a URL
parameter. Then since the return_to URI is itself a URL parameter, it is
encoded again. <br>
<br>
But when the auth message comes back from AOL (and only AOL has this issue,
reportedly starting 12/31/08) the + sign character in the return_to URL has
been decoded by AOL rather than being preserved as DotNetOpenId had written
it. As a result, the + sign is misinterpreted as a URL encoding of the
space character, causing the base64 decoding operation to fail.<br>
<br>
<b>Analysis: AOL is decoding the return_to parameter, and not properly
re-encoding it before sending it back to the RP.</b><o:p></o:p></p>
<pre><span style='font-family:"Tahoma","sans-serif"'>2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.mode: checkid_setup<br>
openid.identity: <a
href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.trust_root: <a
href="http://nerdbank.org/RP/" target="_blank">http://nerdbank.org/RP/</a><br>
openid.return_to: <a
href="http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE"
target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span
style='color:red'>4tB<b>%2b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.ns.sreg: <a
href="http://openid.net/extensions/sreg/1.1" target="_blank">http://openid.net/extensions/sreg/1.1</a><br>
openid.sreg.policy_url: <a
href="http://nerdbank.org/RP/PrivacyPolicy.aspx" target="_blank">http://nerdbank.org/RP/PrivacyPolicy.aspx</a><br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.sreg.required: gender,postcode,timezone<br>
openid.sreg.optional: email,country<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'><br>
2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to <a
href="https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE"
target="_blank">https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE</a><span
style='color:red'>4tB<b>%252b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%<a
href="http://2fopenid.net" target="_blank">2fopenid.net</a>%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%<a
href="http://2fnerdbank.org" target="_blank">2fnerdbank.org</a>%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'>2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:<br>
ReturnUrl: /rp/MembersOnly/Default.aspx<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> token: ATjrrFUCgj1z1e2dmRTszTnE<span
style='color:red'>4tB iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> OpenIdTextBox_UsePersistentCookie: False<br>
openid.mode: id_res<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.identity: <a
href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.return_to: <a
href="http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE"
target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span
style='color:red'>4tB<b>+</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.signed: identity,return_to<br>
openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><span
style='font-family:"Tahoma","sans-serif"'> openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=<br>
<br>
</span><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><br clear=all>
<o:p></o:p></pre>
<p class=MsoNormal>--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <<a
href="mailto:jnylund@yahoo.com" target="_blank">jnylund@yahoo.com</a>>
wrote:<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
Hey, anyone else having issues with AOL openid, as of today on my site I cant
use aol to login or signup, there is a problem with the token they are sending
over, havent had a chance to debug yet, just wondering if anyone else has seen?<br>
<br>
When I try using Andrews site I see same problem:<br>
<br>
Server Error in '/RP' Application.<br>
Invalid length for a Base-64 char array.<br>
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.<br>
<br>
Exception Details: System.FormatException: Invalid length for a Base-64 char
array.<br>
<br>
Source Error:<br>
<br>
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can be
identified using the exception stack trace below.<br>
<br>
Stack Trace:<br>
<br>
[FormatException: Invalid length for a Base-64 char array.]<br>
System.Convert.FromBase64String(String s) +0<br>
DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
store) in Token.cs:82<br>
DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
verifySignature) in AuthenticationResponse.cs:222<br>
DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
OpenIdRelyingParty.cs:294<br>
DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
OpenIdTextBox.cs:639<br>
System.Web.UI.Control.LoadRecursive() +47<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436<br>
<br>
<br>
<br>
thanks<br>
<span style='color:#888888'>Joel<br>
<br>
</span><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>