Eric, I notice that although your Claimed Identifier in your example is <a href="https://ejnorman.protectnetwork.org/" target="_blank">https://ejnorman.protectnetwork.org</a>, which is a "secure" identity page, it contains this tag:<br>
<pre id="line1"><<span class="start-tag">link</span><span class="attribute-name"> rel</span>=<span class="attribute-value">"openid.server" </span><span class="attribute-name">href</span>=<span class="attribute-value">"<a href="http://openid.protectnetwork.org/server">http://openid.protectnetwork.org/server</a>"</span>></<span class="end-tag">link</span>><br>
</pre>This means that the RP will 'securely' discover that your authenticating OP is an 'insecure' URL and happily use it (again, unless the RP takes special measures that are beyond what the OpenID spec mandates). And again, DotNetOpenId does have a RequireSsl mode that does exactly this, which would essentially deny you the ability to log in with this Claimed Id because it has an insecure element in the chain.<br>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 2:18 PM, Eric Norman <span dir="ltr"><<a href="mailto:ejnorman@doit.wisc.edu">ejnorman@doit.wisc.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
On Jan 1, 2009, at 2:45 PM, Andrew Arnott wrote:<br>
<br>
> Eric,<br>
> <br>
> I believe it is exactly the problem that Peter is facing.<br>
> <br>
> Regarding the behavior you saw, Eric, DotNetOpenId doesn't ever demote<br>
> https to http (or if so it would be a bug), but it will go through all<br>
> endpoints listed for a given OpenID and chooses from among that list. <br>
> So if your OpenID has multiple service endpoints listed (through an<br>
> XRDS file) can you check whether a non HTTPS OP Endpoint is among the<br>
> list?<br>
<br>
</div>The address bar said http, but I might have looked<br>
to quickly. It could have been protectnetwork that<br>
did the demotion.<br>
<div class="Ih2E3d"> <br>
> I'd very much like to know the particular OpenID you were trying it<br>
> with so I can examine the behavior if you'd care to share (perhaps off<br>
> the list if you wish).<br>
<br>
</div><a href="https://ejnorman.protectnetwork.org" target="_blank">https://ejnorman.protectnetwork.org</a><br>
<br>
This has worked at some OpenID sites in the past.<br>
<br>
In any case, there's certainly a bug somewhere since<br>
the error message I quoted is complaining about<br>
something I never typed.<br>
<div><div></div><div class="Wj3C7c"><br>
Eric Norman<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>