Hi Peter,<br><br>I just checked out the <a href="https://cacert.at/homepw">https://cacert.at/homepw</a> URL you mentioned. The reason the <a href="http://nerdbank.org/rp">http://nerdbank.org/rp</a> site rejects that URL is because the HTTPS certificate is not signed by a recognized cert authority at the server hosting the site. <br>
<br>This doesn't actually have anything to do with the AOL issue right? (does this deserve its own thread?) I just want to make sure I'm understanding the issue you're getting at. I'm also not familiar with this CX thing. Is that a certificate exchange protocol that's in the works?<br>
<br>Thanks.<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Wed, Dec 31, 2008 at 8:07 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I tried to use my <a href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a> url at
dotnetopenid the other day. </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">It works at pbwiki and openid foundation, and showed the (good news)
padlock.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">(If I'm a ordinary user, I'm now confused. If I get
on the phone (costing me $10, and the provider $25) I'll probably
understand very little of what the level 1 support person tells about trust
networks, and CA CTLs. Im 58, and all I know is it worked at the openid
foundation and not at dotnetopenid. Why wouldn't it?)</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Anyone looked at Nat's proposal CX again, recently, while
I'm ranting?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;">
<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Wednesday, December 31, 2008 5:02 PM<br>
<b>To:</b> OpenID List<br>
<b>Subject:</b> [OpenID] Bug in AOL OpenID Provider implementation</span></p>
</div>
</div><div><div></div><div class="Wj3C7c">
<p> </p>
<p style="margin-bottom: 12pt;">Is there anyone on this list
who works for or with AOL OpenID folks? I have (below) a description of
an interop issue with the AOL OpenID Provider that may be a bug they should
look at.<br>
<br>
Thanks.<br>
<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
</p>
<div>
<p>---------- Forwarded message ----------<br>
From: <b>Andrew Arnott</b> <<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>><br>
Date: Wed, Dec 31, 2008 at 5:50 PM<br>
Subject: Re: [dotnetopenid] problems with AOL today?<br>
To: <a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a><br>
<br>
<br>
Thanks for reporting this, Joel. This is a bug in AOL's encoding/decoding
of the return_to URL, as I detail below. I'll forward this onto the AOL
OpenID folks (as soon as I can figure out who they are) and suggest they fix
this bug prompto!<br>
<br>
As can be seen in the below log, DotNetOpenId is sending AOL a return_to URL
with a twice-URL-encoded + sign as the value for the token parameter, as
appropriate. That is, the plus sign is an actual character in the (base
64 encoded) value, which must be URL encoded because it is a URL
parameter. Then since the return_to URI is itself a URL parameter, it is
encoded again. <br>
<br>
But when the auth message comes back from AOL (and only AOL has this issue,
reportedly starting 12/31/08) the + sign character in the return_to URL has
been decoded by AOL rather than being preserved as DotNetOpenId had written
it. As a result, the + sign is misinterpreted as a URL encoding of the
space character, causing the base64 decoding operation to fail.<br>
<br>
<b>Analysis: AOL is decoding the return_to parameter, and not properly
re-encoding it before sending it back to the RP.</b></p>
<pre><span>2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:<br>
<br>
</span></pre><pre> </pre><pre><span> openid.mode: checkid_setup<br>
openid.identity: <a href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
<br>
</span></pre><pre> </pre><pre><span> openid.trust_root: <a href="http://nerdbank.org/RP/" target="_blank">http://nerdbank.org/RP/</a><br>
openid.return_to: <a href="http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE" target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>%2b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
</span></pre><pre> </pre><pre><span> openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D<br>
<br>
</span></pre><pre> </pre><pre><span> openid.ns.sreg: <a href="http://openid.net/extensions/sreg/1.1" target="_blank">http://openid.net/extensions/sreg/1.1</a><br>
openid.sreg.policy_url: <a href="http://nerdbank.org/RP/PrivacyPolicy.aspx" target="_blank">http://nerdbank.org/RP/PrivacyPolicy.aspx</a><br>
<br>
</span></pre><pre> </pre><pre><span> openid.sreg.required: gender,postcode,timezone<br>
openid.sreg.optional: email,country<br>
<br>
</span></pre><pre> </pre><pre><span><br>
2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to <a href="https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE" target="_blank">https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>%252b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%<a href="http://2fopenid.net" target="_blank">2fopenid.net</a>%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%<a href="http://2fnerdbank.org" target="_blank">2fnerdbank.org</a>%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry<br>
<br>
</span></pre><pre> </pre><pre><span>2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:<br>
ReturnUrl: /rp/MembersOnly/Default.aspx<br>
<br>
</span></pre><pre> </pre><pre><span> token: ATjrrFUCgj1z1e2dmRTszTnE<span style="color: red;">4tB iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==<br>
<br>
</span></pre><pre> </pre><pre><span> OpenIdTextBox_UsePersistentCookie: False<br>
openid.mode: id_res<br>
<br>
</span></pre><pre> </pre><pre><span> openid.identity: <a href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D<br>
<br>
</span></pre><pre> </pre><pre><span> openid.return_to: <a href="http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE" target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>+</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
</span></pre><pre> </pre><pre><span> openid.signed: identity,return_to<br>
openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=<br>
<br>
</span></pre><pre> </pre><pre><span> openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=<br>
<br>
</span></pre><pre> </pre><pre><br clear="all">
</pre>
<p>--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire</p>
<div>
<div>
<p style="margin-bottom: 12pt;"><br>
<br>
</p>
<div>
<p>On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <<a href="mailto:jnylund@yahoo.com" target="_blank">jnylund@yahoo.com</a>>
wrote:</p>
<p style="margin-bottom: 12pt;"><br>
Hey, anyone else having issues with AOL openid, as of today on my site I cant
use aol to login or signup, there is a problem with the token they are sending
over, havent had a chance to debug yet, just wondering if anyone else has seen?<br>
<br>
When I try using Andrews site I see same problem:<br>
<br>
Server Error in '/RP' Application.<br>
Invalid length for a Base-64 char array.<br>
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.<br>
<br>
Exception Details: System.FormatException: Invalid length for a Base-64 char
array.<br>
<br>
Source Error:<br>
<br>
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can be
identified using the exception stack trace below.<br>
<br>
Stack Trace:<br>
<br>
[FormatException: Invalid length for a Base-64 char array.]<br>
System.Convert.FromBase64String(String s) +0<br>
DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
store) in Token.cs:82<br>
DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
verifySignature) in AuthenticationResponse.cs:222<br>
DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
OpenIdRelyingParty.cs:294<br>
DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
OpenIdTextBox.cs:639<br>
System.Web.UI.Control.LoadRecursive() +47<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436<br>
<br>
<br>
<br>
thanks<br>
<span style="color: rgb(136, 136, 136);">Joel<br>
<br>
</span></p>
</div>
<p> </p>
</div>
</div>
</div>
<p> </p>
</div></div></div>
</div>
</div>
</blockquote></div><br>