As might already be clear, but I'll just rephrase just to be sure it clear to everyone, DotNetOpenId does not itself have a list of CAs it trusts: it's entirely up to the Windows server that hosts the web site that uses it. <br>
<br>Because of that, the list of CAs that work with <a href="http://nerdbank.org">http://nerdbank.org</a> is whatever list GoDaddy happens to use (since they happen to host that web site). I don't have any reason to believe that GoDaddy has customized their list of CAs, so I imagine if you look at any fresh install of a Windows Server and run "certmgr" (I think is the command) you can see the list of trusted CAs there, and that will probably be a good bet that most browsers and server have at least that list as a starting point.<br>
<br>In general the easiest way to see if you've got a cert signed by a well-known CA, assuming you haven't added CAs to your own computer's list, if your browser can navigate to a given HTTPS URL without displaying a cert warning then you probably have a good one. <br>
<br>Peter, your URL in particular (<a href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a>) generates a cert warning in my browser, which is a standard Windows desktop computer. This suggests to me that you probably bought your HTTPS cert from some lesser-known discount CA. I suggest you get a new one. You can get certs that are recognized by virtually everyone for around $15/year, so I don't think there's any reason to get a cheaper one if it cuts off your audience, and in this case yourself from some RPs.<br>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 9:38 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">So, what I am supposed to do to figure which https CAs works
at nerdbank's ISP? This limits which https openid I can buy!</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I supposed I could trawl through the list in Mozilla, alphabetically,
and pay $100 each time, and see which ones Nerdbank accepts (but Plaxo doesn't,
but AOL does, but…BlogSpot doesnt)</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> Nerdbank is just one of 26,000 openid-accepting RP sites –
all doing https discovery – that I could have picked on, note. </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none solid; border-color: -moz-use-text-color -moz-use-text-color windowtext; border-width: medium medium 1pt; padding: 0in 0in 1pt;">
<p style="border: medium none ; padding: 0in;"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
</div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I suppose the next openid trial should be to go back to XRI. I
half recall I one time had an XRI something like *freeid*lockbox which could be
made to actually do a 30x redirect. Let's see what happens if I put <a href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a> in its redirector.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Given the semantics of HXRI, isn't the XRI/XDI authority
endorsing the redirect URLs it introduces, in some authorization/control sense?
</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">In the native trusted resolution mode of XRI Resolution 2,
perhaps the signed assertion should be sending back to the resolver library the
certid of the SSL authority it advises some particular affiliate network to
respect, when using those redirects. I.e. the CA chain its willing to validate.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">CX could do the same kind of thing, of course: make openid
endpoints that are themselves proxies for XRI trusted resolution mode supping
affiliate statements to the CX consumers.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> Andrew Arnott
[mailto:<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>] <br>
<b>Sent:</b> Thursday, January 01, 2009 6:39 AM<div class="Ih2E3d"><br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> OpenID List<br>
</div><b>Subject:</b> Re: Bug in OpenID RP implementations</span></p>
</div>
</div><div><div></div><div class="Wj3C7c">
<p> </p>
<p style="margin-bottom: 12pt;">I don't think we need a
federation built up around trusting certificates. We already have the
certificate authority (CA) model. I think to get your OpenID working
everywhere, you need everyone to start trusting the CA that signed your HTTPS cert,
or you need to get a new HTTPS cert that is signed by a more well-known CA (the
latter being easier, of course).<br>
<br>
As far as the sites you listed that already accept it, either they happen to
trust your CA already, or they don't verify that the CA is in a trusted list at
all, which is actually quite insecure IMO.<br>
<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
</p>
<div>
<p>On Wed, Dec 31, 2008 at 10:57 PM, Peter Williams <<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>> wrote:</p>
<div>
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I don't know that the AOL
protocol bug is, to be honest. I did wonder (5% fidelity) given the
common AOL relationship if it was the same as mine, which really showed up with
an AOL-related RP (mapquest) last week – when an AOL login page showed up
, with some bizarre (obviously buggy) formatting, once I pointed the mapquest
RP to my own OP (myopenid) -- via that Austrian URL.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">In general :- </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">AOL rejects my .at URL (rather
bizarrely, initiated from mapquest). Nerdbank rejects it. Plaxo rejects it.
Pbwiki accepts it. Foundation membership accepts it. Foundation blog accepts
it..</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Is this a bug? Or just a
feature of openid?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">As a user I think I expect
"Foundation-related" RPs to be in some kind of network – call
it an "affiliation" perhaps. What the foundation accepts, all its
"peers RP" accept – including that stuff about CAs.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">What Rapattoni accepts, perhaps
other US realty sites accept.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I don't know really know what
the CX proposal contemplates, either. Hopefully it can make my .at openid
work at AOL/mapquest. It may have to address the CA stuff. Rather than some
happenstance recognition my the RP at its hostingsite , we may need some kind
of affiliation model. If United reservations accept my openid, so do all the
car rental companies, for example.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> Andrew Arnott [mailto:<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, December 31, 2008 8:50 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID] Bug in AOL OpenID Provider implementation</span></p>
</div>
</div>
<p> </p>
<p style="margin-bottom: 12pt;">Hi Peter,<br>
<br>
I just checked out the <a href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a>
URL you mentioned. The reason the <a href="http://nerdbank.org/rp" target="_blank">http://nerdbank.org/rp</a> site rejects that URL is because the
HTTPS certificate is not signed by a recognized cert authority at the server
hosting the site. <br>
<br>
This doesn't actually have anything to do with the AOL issue right? (does this
deserve its own thread?) I just want to make sure I'm understanding the issue
you're getting at. I'm also not familiar with this CX thing. Is
that a certificate exchange protocol that's in the works?<br>
<br>
Thanks.<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire</p>
<div>
<p>On Wed, Dec 31, 2008 at 8:07 PM, Peter Williams <<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>>
wrote:</p>
<div>
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I tried to use my <a href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a>
url at dotnetopenid the other day. </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">It works at pbwiki and openid
foundation, and showed the (good news) padlock.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">(If I'm a ordinary user, I'm
now confused. If I get on the phone (costing me $10, and the provider $25) I'll
probably understand very little of what the level 1 support person tells about
trust networks, and CA CTLs. Im 58, and all I know is it worked at the openid
foundation and not at dotnetopenid. Why wouldn't it?)</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Anyone looked at Nat's proposal
CX again, recently, while I'm ranting?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Wednesday, December 31, 2008 5:02 PM<br>
<b>To:</b> OpenID List<br>
<b>Subject:</b> [OpenID] Bug in AOL OpenID Provider implementation</span></p>
</div>
</div>
<div>
<div>
<p> </p>
<p style="margin-bottom: 12pt;">Is there anyone on this list who works for or
with AOL OpenID folks? I have (below) a description of an interop issue
with the AOL OpenID Provider that may be a bug they should look at.<br>
<br>
Thanks.<br>
<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire</p>
<div>
<p>---------- Forwarded message ----------<br>
From: <b>Andrew Arnott</b> <<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>><br>
Date: Wed, Dec 31, 2008 at 5:50 PM<br>
Subject: Re: [dotnetopenid] problems with AOL today?<br>
To: <a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a><br>
<br>
<br>
Thanks for reporting this, Joel. This is a bug in AOL's encoding/decoding
of the return_to URL, as I detail below. I'll forward this onto the AOL
OpenID folks (as soon as I can figure out who they are) and suggest they fix
this bug prompto!<br>
<br>
As can be seen in the below log, DotNetOpenId is sending AOL a return_to URL
with a twice-URL-encoded + sign as the value for the token parameter, as
appropriate. That is, the plus sign is an actual character in the (base
64 encoded) value, which must be URL encoded because it is a URL
parameter. Then since the return_to URI is itself a URL parameter, it is
encoded again. <br>
<br>
But when the auth message comes back from AOL (and only AOL has this issue,
reportedly starting 12/31/08) the + sign character in the return_to URL has
been decoded by AOL rather than being preserved as DotNetOpenId had written
it. As a result, the + sign is misinterpreted as a URL encoding of the
space character, causing the base64 decoding operation to fail.<br>
<br>
<b>Analysis: AOL is decoding the return_to parameter, and not properly
re-encoding it before sending it back to the RP.</b></p>
<pre>2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:<br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.mode: checkid_setup<br>
<br>
</pre><pre><br>
<br>
</pre><pre> openid.identity: <a href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.trust_root: <a href="http://nerdbank.org/RP/" target="_blank">http://nerdbank.org/RP/</a><br>
<br>
</pre><pre><br>
<br>
</pre><pre> openid.return_to: <a href="http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE" target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>%2b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D<br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.ns.sreg: <a href="http://openid.net/extensions/sreg/1.1" target="_blank">http://openid.net/extensions/sreg/1.1</a><br>
<br>
</pre><pre><br>
<br>
</pre><pre> openid.sreg.policy_url: <a href="http://nerdbank.org/RP/PrivacyPolicy.aspx" target="_blank">http://nerdbank.org/RP/PrivacyPolicy.aspx</a><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.sreg.required: gender,postcode,timezone<br>
<br>
</pre><pre><br>
<br>
</pre><pre> openid.sreg.optional: email,country<br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre>2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to <a href="https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE" target="_blank">https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>%252b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%<a href="http://2fopenid.net" target="_blank">2fopenid.net</a>%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%<a href="http://2fnerdbank.org" target="_blank">2fnerdbank.org</a>%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry<br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre>2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:<br>
<br>
</pre><pre><br>
<br>
</pre><pre> ReturnUrl: /rp/MembersOnly/Default.aspx<br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> token: ATjrrFUCgj1z1e2dmRTszTnE<span style="color: red;">4tB iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==<br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> OpenIdTextBox_UsePersistentCookie: False<br>
<br>
</pre><pre><br>
<br>
</pre><pre> openid.mode: id_res<br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.identity: <a href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
<br>
</pre><pre><br>
<br>
</pre><pre> openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D<br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.return_to: <a href="http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE" target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>+</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.signed: identity,return_to<br>
<br>
</pre><pre><br>
<br>
</pre><pre> openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=<br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=<br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre><br clear="all">
</pre>
<p>--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire</p>
<div>
<div>
<p style="margin-bottom: 12pt;"> </p>
<div>
<p>On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <<a href="mailto:jnylund@yahoo.com" target="_blank">jnylund@yahoo.com</a>>
wrote:</p>
<p style="margin-bottom: 12pt;"><br>
Hey, anyone else having issues with AOL openid, as of today on my site I cant
use aol to login or signup, there is a problem with the token they are sending
over, havent had a chance to debug yet, just wondering if anyone else has seen?<br>
<br>
When I try using Andrews site I see same problem:<br>
<br>
Server Error in '/RP' Application.<br>
Invalid length for a Base-64 char array.<br>
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.<br>
<br>
Exception Details: System.FormatException: Invalid length for a Base-64 char
array.<br>
<br>
Source Error:<br>
<br>
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can be
identified using the exception stack trace below.<br>
<br>
Stack Trace:<br>
<br>
[FormatException: Invalid length for a Base-64 char array.]<br>
System.Convert.FromBase64String(String s) +0<br>
DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
store) in Token.cs:82<br>
DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
verifySignature) in AuthenticationResponse.cs:222<br>
DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
OpenIdRelyingParty.cs:294<br>
DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
OpenIdTextBox.cs:639<br>
System.Web.UI.Control.LoadRecursive() +47<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436<br>
<br>
<br>
<br>
thanks<br>
<span style="color: rgb(136, 136, 136);">Joel</span></p>
</div>
<p> </p>
</div>
</div>
</div>
<p> </p>
</div>
</div>
</div>
</div>
</div>
</div>
<p> </p>
</div>
</div>
</div>
</div>
<p> </p>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>