<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This general topic has been confusing me for a week (being dumb).
Reading the spec further helped zero (seeing as it’s minimalist and abstruse)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Enter an https URL at pbwiki, the OP (myopenid) will do
its things over foreground https, but the resulting challenge screen only petitions
for user auth about my http:// openid claim (which I didn’t make). It
sends back an positive assertion about the https:/../ form though.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Myopenid presented the https claim in its UI (over foreground https)
in other RP cases - the openid foundation blog site, as I 49% recall.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Can one properly present a https claim to an OP that does not advertise
an https-capable OP endpoint?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Thursday, January 01, 2009 12:45 PM<br>
<b>To:</b> Eric Norman<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>Eric,<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>I believe it is exactly the problem that Peter is facing.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Regarding the behavior you saw, Eric, DotNetOpenId doesn't
ever demote https to http (or if so it would be a bug), but it will go through <em>all</em>
endpoints listed for a given OpenID and chooses from among that list. So
if your OpenID has multiple service endpoints listed (through an XRDS file) can
you check whether a non HTTPS OP Endpoint is among the list?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>I'd very much like to know the particular OpenID you were
trying it with so I can examine the behavior if you'd care to share (perhaps
off the list if you wish).<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>On Thu, Jan 1, 2009 at 12:52 PM, Eric Norman <<a
href="mailto:ejnorman@doit.wisc.edu">ejnorman@doit.wisc.edu</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
On Jan 1, 2009, at 12:14 PM, Andrew Arnott wrote:<br>
<br>
> Because of that, the list of CAs that work with <a
href="http://nerdbank.org/" target="_blank">http://nerdbank.org</a> is<br>
> whatever list GoDaddy happens to use (since they happen to host that<br>
> web site).<o:p></o:p></p>
</div>
<p class=MsoNormal>That may be the case, but it's probably not relevant or at
best<br>
only a part of the problem.<br>
<br>
When I tried going to <a href="http://nerdbank.org/rp" target="_blank">nerdbank.org/rp</a>
and typing in an OpenID<br>
that starts with "https:", the server at nerdbank changed it<br>
to "http:" and used that to connect with my OP. Other than<br>
the fact that I don't appreciate the weakening of security,<br>
it also failed and said "Login failed: The 'openid.identity'<br>
parameter was expected to have the value 'https:...' but had<br>
'http:...' instead".<br>
<span style='color:#888888'><br>
Eric Norman</span><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>