<span style="font-size: 11pt; color: rgb(31, 73, 125);">Peter said: Can one properly present a https claim to an OP that does not advertise
an https-capable OP endpoint?<br><br></span>Absolutely. For instance, suppose I have an OpenID provided by <a href="http://someop.org">someop.org</a>. They don't do SSL so their OP endpoint obviously doesn't offer an https endpoint and the OpenID they assigned to me is just a standard HTTP as well. However, I use openid delegation to actually make my Claimed Identifier be <a href="https://blog.nerdbank.net">https://blog.nerdbank.net</a>. I now have a Claimed Identifier which is HTTPS, but a Provider that only does HTTP.<br>
<br>There is no violation of the OpenID spec in this scenario and I would fully expect it to work properly at all RPs -- unless a given RP uses what DotNetOpenId calls "RequireSsl" mode and requires end-to-end SSL, in which case as soon as the HTTPS discovery on <a href="https://blog.nerdbank.net">https://blog.nerdbank.net</a> revealed that the OP used a non-HTTPS endpoint it would fail out and refuse to let the user log in.<span style="font-size: 11pt; color: rgb(31, 73, 125);"><br>
<br clear="all"></span>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 2:01 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">This general topic has been confusing me for a week (being dumb).
Reading the spec further helped zero (seeing as it's minimalist and abstruse)</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Enter an https URL at pbwiki, the OP (myopenid) will do
its things over foreground https, but the resulting challenge screen only petitions
for user auth about my http:// openid claim (which I didn't make). It
sends back an positive assertion about the https:/../ form though.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Myopenid presented the https claim in its UI (over foreground https)
in other RP cases - the openid foundation blog site, as I 49% recall.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Can one properly present a https claim to an OP that does not advertise
an https-capable OP endpoint?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;">
<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Thursday, January 01, 2009 12:45 PM<br>
<b>To:</b> Eric Norman<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations</span></p>
</div>
</div><div><div></div><div class="Wj3C7c">
<p> </p>
<div>
<p>Eric,</p>
</div>
<div>
<p> </p>
</div>
<div>
<p>I believe it is exactly the problem that Peter is facing.</p>
</div>
<div>
<p> </p>
</div>
<div>
<p>Regarding the behavior you saw, Eric, DotNetOpenId doesn't
ever demote https to http (or if so it would be a bug), but it will go through <i>all</i>
endpoints listed for a given OpenID and chooses from among that list. So
if your OpenID has multiple service endpoints listed (through an XRDS file) can
you check whether a non HTTPS OP Endpoint is among the list?</p>
</div>
<div>
<p> </p>
</div>
<div>
<p>I'd very much like to know the particular OpenID you were
trying it with so I can examine the behavior if you'd care to share (perhaps
off the list if you wish).</p>
</div>
<div>
<p style="margin-bottom: 12pt;"><br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
</p>
</div>
<div>
<p>On Thu, Jan 1, 2009 at 12:52 PM, Eric Norman <<a href="mailto:ejnorman@doit.wisc.edu" target="_blank">ejnorman@doit.wisc.edu</a>> wrote:</p>
<div>
<p style="margin-bottom: 12pt;"><br>
On Jan 1, 2009, at 12:14 PM, Andrew Arnott wrote:<br>
<br>
> Because of that, the list of CAs that work with <a href="http://nerdbank.org/" target="_blank">http://nerdbank.org</a> is<br>
> whatever list GoDaddy happens to use (since they happen to host that<br>
> web site).</p>
</div>
<p>That may be the case, but it's probably not relevant or at
best<br>
only a part of the problem.<br>
<br>
When I tried going to <a href="http://nerdbank.org/rp" target="_blank">nerdbank.org/rp</a>
and typing in an OpenID<br>
that starts with "https:", the server at nerdbank changed it<br>
to "http:" and used that to connect with my OP. Other than<br>
the fact that I don't appreciate the weakening of security,<br>
it also failed and said "Login failed: The 'openid.identity'<br>
parameter was expected to have the value 'https:...' but had<br>
'http:...' instead".<br>
<span style="color: rgb(136, 136, 136);"><br>
Eric Norman</span></p>
<div>
<div>
<p><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a></p>
</div>
</div>
</div>
<p> </p>
</div></div></div>
</div>
</div>
</blockquote></div><br>