Hi Eric,<br><br>DotNetOpenId is the .NET implementation of OpenID that is used at <a href="http://nerdbank.org/rp">nerdbank.org/rp</a>. And no, <a href="http://nerdbank.org/rp">nerdbank.org/rp</a> is <i>not</i> configured with RequireSsl, although I mean to add a checkbox to the login page to allow the user to turn the feature on for demo purposes. And you're correct in gathering that if that (as yet non-existent) checkbox was checked, the authentication would never start, and you'd get a meaningful error message stating that the auth could not be completed securely and was therefore aborted.<br>
<br>Regarding the error message that you're seeing, I agree it is not very helpful to an end user. There is definitely room for improvement in this area. The only way I was able to diagnose the real problem is by reviewing the logs that were available at <a href="http://nerdbank.org/rp/tracepage.aspx">http://nerdbank.org/rp/tracepage.aspx</a> after you had tried to authenticate. The logs provide the kind of information that you could send protectnetwork and expect that they could do something with it.<br>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 5:36 PM, Eric Norman <span dir="ltr"><<a href="mailto:ejnorman@doit.wisc.edu">ejnorman@doit.wisc.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
On Jan 1, 2009, at 5:20 PM, Andrew Arnott wrote:<br>
<br>
> Eric, I notice that although your Claimed Identifier in your example<br>
> is <a href="https://ejnorman.protectnetwork.org" target="_blank">https://ejnorman.protectnetwork.org</a>, which is a "secure" identity<br>
> page, it contains this tag:<br>
> <link rel="openid.server"<br>
> href="<a href="http://openid.protectnetwork.org/server" target="_blank">http://openid.protectnetwork.org/server</a>"></link><br>
><br>
><br>
> This means that the RP will 'securely' discover that your<br>
> authenticating OP is an 'insecure' URL and happily use it (again,<br>
> unless the RP takes special measures that are beyond what the OpenID<br>
> spec mandates). And again, DotNetOpenId does have a RequireSsl mode<br>
> that does exactly this, which would essentially deny you the ability<br>
> to log in with this Claimed Id because it has an insecure element in<br>
> the chain.<br>
<br>
</div>OK, I think I understand what you're saying.<br>
<br>
I don't know what you mean by DotNetOpenID. But if you're<br>
saying that the RP that I used (<a href="http://nerdbank.org/rp" target="_blank">nerdbank.org/rp</a>) does the<br>
RequireSSL thing, then how come I was allowed to continue<br>
the process of authenticating to protectnetwork?<br>
<br>
And let's not forget that the error message I quoted is<br>
not appropriate. If I'm supposed to talk to the<br>
protectnetwork OP about this problem, then sending them<br>
that error message is really going to help, isn't it?<br>
(That was sarcasm).<br>
<div><div></div><div class="Wj3C7c"><br>
Eric Norman<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>