<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1476752368;
mso-list-type:hybrid;
mso-list-template-ids:-2144709614 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So, what I am supposed to do to figure which https CAs works
at nerdbank’s ISP? This limits which https openid I can buy!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I supposed I could trawl through the list in Mozilla, alphabetically,
and pay $100 each time, and see which ones Nerdbank accepts (but Plaxo doesn’t,
but AOL does, but…BlogSpot doesnt)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> Nerdbank is just one of 26,000 openid-accepting RP sites –
all doing https discovery – that I could have picked on, note. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;
padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal style='border:none;padding:0in'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I suppose the next openid trial should be to go back to XRI. I
half recall I one time had an XRI something like *freeid*lockbox which could be
made to actually do a 30x redirect. Let’s see what happens if I put <a
href="https://cacert.at/homepw">https://cacert.at/homepw</a> in its redirector.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Given the semantics of HXRI, isn’t the XRI/XDI authority
endorsing the redirect URLs it introduces, in some authorization/control sense?
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In the native trusted resolution mode of XRI Resolution 2,
perhaps the signed assertion should be sending back to the resolver library the
certid of the SSL authority it advises some particular affiliate network to
respect, when using those redirects. I.e. the CA chain its willing to validate.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>CX could do the same kind of thing, of course: make openid
endpoints that are themselves proxies for XRI trusted resolution mode supping
affiliate statements to the CX consumers.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Thursday, January 01, 2009 6:39 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: Bug in OpenID RP implementations<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>I don't think we need a
federation built up around trusting certificates. We already have the
certificate authority (CA) model. I think to get your OpenID working
everywhere, you need everyone to start trusting the CA that signed your HTTPS cert,
or you need to get a new HTTPS cert that is signed by a more well-known CA (the
latter being easier, of course).<br>
<br>
As far as the sites you listed that already accept it, either they happen to
trust your CA already, or they don't verify that the CA is in a trusted list at
all, which is actually quite insecure IMO.<br>
<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Wed, Dec 31, 2008 at 10:57 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>I don't know that the AOL
protocol bug is, to be honest. I did wonder (5% fidelity) given the
common AOL relationship if it was the same as mine, which really showed up with
an AOL-related RP (mapquest) last week – when an AOL login page showed up
, with some bizarre (obviously buggy) formatting, once I pointed the mapquest
RP to my own OP (myopenid) -- via that Austrian URL.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>In general :- </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>AOL rejects my .at URL (rather
bizarrely, initiated from mapquest). Nerdbank rejects it. Plaxo rejects it.
Pbwiki accepts it. Foundation membership accepts it. Foundation blog accepts
it..</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Is this a bug? Or just a
feature of openid?</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>As a user I think I expect
"Foundation-related" RPs to be in some kind of network – call
it an "affiliation" perhaps. What the foundation accepts, all its
"peers RP" accept – including that stuff about CAs.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>What Rapattoni accepts, perhaps
other US realty sites accept.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>I don't know really know what
the CX proposal contemplates, either. Hopefully it can make my .at openid
work at AOL/mapquest. It may have to address the CA stuff. Rather than some
happenstance recognition my the RP at its hostingsite , we may need some kind
of affiliation model. If United reservations accept my openid, so do all the
car rental companies, for example.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid windowtext 1.5pt;padding:0in 0in 0in 4.0pt;
border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color blue'>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> Andrew Arnott [mailto:<a href="mailto:andrewarnott@gmail.com"
target="_blank">andrewarnott@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, December 31, 2008 8:50 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID] Bug in AOL OpenID Provider implementation</span><o:p></o:p></p>
</div>
</div>
<p> <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>Hi Peter,<br>
<br>
I just checked out the <a href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a>
URL you mentioned. The reason the <a href="http://nerdbank.org/rp"
target="_blank">http://nerdbank.org/rp</a> site rejects that URL is because the
HTTPS certificate is not signed by a recognized cert authority at the server
hosting the site. <br>
<br>
This doesn't actually have anything to do with the AOL issue right? (does this
deserve its own thread?) I just want to make sure I'm understanding the issue
you're getting at. I'm also not familiar with this CX thing. Is
that a certificate exchange protocol that's in the works?<br>
<br>
Thanks.<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p>On Wed, Dec 31, 2008 at 8:07 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>I tried to use my <a
href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a>
url at dotnetopenid the other day. </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>It works at pbwiki and openid
foundation, and showed the (good news) padlock.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>(If I'm a ordinary user, I'm
now confused. If I get on the phone (costing me $10, and the provider $25) I'll
probably understand very little of what the level 1 support person tells about
trust networks, and CA CTLs. Im 58, and all I know is it worked at the openid
foundation and not at dotnetopenid. Why wouldn't it?)</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Anyone looked at Nat's proposal
CX again, recently, while I'm ranting?</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid windowtext 1.5pt;padding:0in 0in 0in 4.0pt;
border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color blue'>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Wednesday, December 31, 2008 5:02 PM<br>
<b>To:</b> OpenID List<br>
<b>Subject:</b> [OpenID] Bug in AOL OpenID Provider implementation</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>Is there anyone on this list who works for or
with AOL OpenID folks? I have (below) a description of an interop issue
with the AOL OpenID Provider that may be a bug they should look at.<br>
<br>
Thanks.<br>
<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p>---------- Forwarded message ----------<br>
From: <b>Andrew Arnott</b> <<a href="mailto:andrewarnott@gmail.com"
target="_blank">andrewarnott@gmail.com</a>><br>
Date: Wed, Dec 31, 2008 at 5:50 PM<br>
Subject: Re: [dotnetopenid] problems with AOL today?<br>
To: <a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a><br>
<br>
<br>
Thanks for reporting this, Joel. This is a bug in AOL's encoding/decoding
of the return_to URL, as I detail below. I'll forward this onto the AOL
OpenID folks (as soon as I can figure out who they are) and suggest they fix
this bug prompto!<br>
<br>
As can be seen in the below log, DotNetOpenId is sending AOL a return_to URL
with a twice-URL-encoded + sign as the value for the token parameter, as
appropriate. That is, the plus sign is an actual character in the (base
64 encoded) value, which must be URL encoded because it is a URL
parameter. Then since the return_to URI is itself a URL parameter, it is
encoded again. <br>
<br>
But when the auth message comes back from AOL (and only AOL has this issue,
reportedly starting 12/31/08) the + sign character in the return_to URL has
been decoded by AOL rather than being preserved as DotNetOpenId had written
it. As a result, the + sign is misinterpreted as a URL encoding of the
space character, causing the base64 decoding operation to fail.<br>
<br>
<b>Analysis: AOL is decoding the return_to parameter, and not properly
re-encoding it before sending it back to the RP.</b><o:p></o:p></p>
<pre>2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.mode: checkid_setup<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> openid.identity: <a
href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.trust_root: <a
href="http://nerdbank.org/RP/" target="_blank">http://nerdbank.org/RP/</a><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> openid.return_to: <a
href="http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE"
target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span
style='color:red'>4tB<b>%2b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.ns.sreg: <a
href="http://openid.net/extensions/sreg/1.1" target="_blank">http://openid.net/extensions/sreg/1.1</a><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> openid.sreg.policy_url: <a
href="http://nerdbank.org/RP/PrivacyPolicy.aspx" target="_blank">http://nerdbank.org/RP/PrivacyPolicy.aspx</a><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.sreg.required: gender,postcode,timezone<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> openid.sreg.optional: email,country<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre>2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to <a
href="https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE"
target="_blank">https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE</a><span
style='color:red'>4tB<b>%252b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%<a
href="http://2fopenid.net" target="_blank">2fopenid.net</a>%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%<a
href="http://2fnerdbank.org" target="_blank">2fnerdbank.org</a>%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry<br>
<br>
<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> ReturnUrl: /rp/MembersOnly/Default.aspx<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> token: ATjrrFUCgj1z1e2dmRTszTnE<span
style='color:red'>4tB iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==<br>
<br>
<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> OpenIdTextBox_UsePersistentCookie: False<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> openid.mode: id_res<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.identity: <a
href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.return_to: <a
href="http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE"
target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span
style='color:red'>4tB<b>+</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.signed: identity,return_to<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=<br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre><br>
<br>
<o:p></o:p></pre><pre> <o:p></o:p></pre><pre><br clear=all>
<o:p></o:p></pre>
<p>--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<div>
<p style='margin-bottom:12.0pt'> <o:p></o:p></p>
<div>
<p>On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <<a
href="mailto:jnylund@yahoo.com" target="_blank">jnylund@yahoo.com</a>>
wrote:<o:p></o:p></p>
<p style='margin-bottom:12.0pt'><br>
Hey, anyone else having issues with AOL openid, as of today on my site I cant
use aol to login or signup, there is a problem with the token they are sending
over, havent had a chance to debug yet, just wondering if anyone else has seen?<br>
<br>
When I try using Andrews site I see same problem:<br>
<br>
Server Error in '/RP' Application.<br>
Invalid length for a Base-64 char array.<br>
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.<br>
<br>
Exception Details: System.FormatException: Invalid length for a Base-64 char
array.<br>
<br>
Source Error:<br>
<br>
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can be
identified using the exception stack trace below.<br>
<br>
Stack Trace:<br>
<br>
[FormatException: Invalid length for a Base-64 char array.]<br>
System.Convert.FromBase64String(String s) +0<br>
DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
store) in Token.cs:82<br>
DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
verifySignature) in AuthenticationResponse.cs:222<br>
DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
OpenIdRelyingParty.cs:294<br>
DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
OpenIdTextBox.cs:639<br>
System.Web.UI.Control.LoadRecursive() +47<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436<br>
<br>
<br>
<br>
thanks<br>
<span style='color:#888888'>Joel</span><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>