I don't think we need a federation built up around trusting certificates. We already have the certificate authority (CA) model. I think to get your OpenID working everywhere, you need everyone to start trusting the CA that signed your HTTPS cert, or you need to get a new HTTPS cert that is signed by a more well-known CA (the latter being easier, of course).<br>
<br>As far as the sites you listed that already accept it, either they happen to trust your CA already, or they don't verify that the CA is in a trusted list at all, which is actually quite insecure IMO.<br><br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Wed, Dec 31, 2008 at 10:57 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I don't know that the AOL protocol bug is, to be honest. I
did wonder (5% fidelity) given the common AOL relationship if it was the
same as mine, which really showed up with an AOL-related RP (mapquest) last
week – when an AOL login page showed up , with some bizarre (obviously
buggy) formatting, once I pointed the mapquest RP to my own OP (myopenid) --
via that Austrian URL.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">In general :- </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">AOL rejects my .at URL (rather bizarrely, initiated from
mapquest). Nerdbank rejects it. Plaxo rejects it. Pbwiki accepts it. Foundation
membership accepts it. Foundation blog accepts it..</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Is this a bug? Or just a feature of openid?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">As a user I think I expect "Foundation-related" RPs
to be in some kind of network – call it an "affiliation"
perhaps. What the foundation accepts, all its "peers RP" accept –
including that stuff about CAs.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">What Rapattoni accepts, perhaps other US realty sites accept.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I don't know really know what the CX proposal
contemplates, either. Hopefully it can make my .at openid work at AOL/mapquest.
It may have to address the CA stuff. Rather than some happenstance recognition
my the RP at its hostingsite , we may need some kind of affiliation model. If
United reservations accept my openid, so do all the car rental companies, for
example.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> Andrew Arnott
[mailto:<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, December 31, 2008 8:50 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID] Bug in AOL OpenID Provider implementation</span></p>
</div>
</div>
<p> </p>
<p style="margin-bottom: 12pt;">Hi Peter,<br>
<br>
I just checked out the <a href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a>
URL you mentioned. The reason the <a href="http://nerdbank.org/rp" target="_blank">http://nerdbank.org/rp</a>
site rejects that URL is because the HTTPS certificate is not signed by a
recognized cert authority at the server hosting the site. <br>
<br>
This doesn't actually have anything to do with the AOL issue right? (does this
deserve its own thread?) I just want to make sure I'm understanding the issue
you're getting at. I'm also not familiar with this CX thing. Is
that a certificate exchange protocol that's in the works?<br>
<br>
Thanks.<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
</p>
<div>
<p>On Wed, Dec 31, 2008 at 8:07 PM, Peter Williams <<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>> wrote:</p>
<div>
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I tried to use my <a href="https://cacert.at/homepw" target="_blank">https://cacert.at/homepw</a>
url at dotnetopenid the other day. </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">It works at pbwiki and openid
foundation, and showed the (good news) padlock.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">(If I'm a ordinary user, I'm
now confused. If I get on the phone (costing me $10, and the provider $25) I'll
probably understand very little of what the level 1 support person tells about
trust networks, and CA CTLs. Im 58, and all I know is it worked at the openid
foundation and not at dotnetopenid. Why wouldn't it?)</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Anyone looked at Nat's proposal
CX again, recently, while I'm ranting?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Wednesday, December 31, 2008 5:02 PM<br>
<b>To:</b> OpenID List<br>
<b>Subject:</b> [OpenID] Bug in AOL OpenID Provider implementation</span></p>
</div>
</div>
<div>
<div>
<p> </p>
<p style="margin-bottom: 12pt;">Is there anyone on this list who works for or
with AOL OpenID folks? I have (below) a description of an interop issue
with the AOL OpenID Provider that may be a bug they should look at.<br>
<br>
Thanks.<br>
<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire</p>
<div>
<p>---------- Forwarded message ----------<br>
From: <b>Andrew Arnott</b> <<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>><br>
Date: Wed, Dec 31, 2008 at 5:50 PM<br>
Subject: Re: [dotnetopenid] problems with AOL today?<br>
To: <a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a><br>
<br>
<br>
Thanks for reporting this, Joel. This is a bug in AOL's encoding/decoding
of the return_to URL, as I detail below. I'll forward this onto the AOL
OpenID folks (as soon as I can figure out who they are) and suggest they fix
this bug prompto!<br>
<br>
As can be seen in the below log, DotNetOpenId is sending AOL a return_to URL
with a twice-URL-encoded + sign as the value for the token parameter, as
appropriate. That is, the plus sign is an actual character in the (base
64 encoded) value, which must be URL encoded because it is a URL
parameter. Then since the return_to URI is itself a URL parameter, it is
encoded again. <br>
<br>
But when the auth message comes back from AOL (and only AOL has this issue,
reportedly starting 12/31/08) the + sign character in the return_to URL has
been decoded by AOL rather than being preserved as DotNetOpenId had written
it. As a result, the + sign is misinterpreted as a URL encoding of the
space character, causing the base64 decoding operation to fail.<br>
<br>
<b>Analysis: AOL is decoding the return_to parameter, and not properly
re-encoding it before sending it back to the RP.</b></p>
<pre>2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:<br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.mode: checkid_setup<br>
<br>
</pre><pre> openid.identity: <a href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.trust_root: <a href="http://nerdbank.org/RP/" target="_blank">http://nerdbank.org/RP/</a><br>
<br>
</pre><pre> openid.return_to: <a href="http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE" target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>%2b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D<br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.ns.sreg: <a href="http://openid.net/extensions/sreg/1.1" target="_blank">http://openid.net/extensions/sreg/1.1</a><br>
<br>
</pre><pre> openid.sreg.policy_url: <a href="http://nerdbank.org/RP/PrivacyPolicy.aspx" target="_blank">http://nerdbank.org/RP/PrivacyPolicy.aspx</a><br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.sreg.required: gender,postcode,timezone<br>
<br>
</pre><pre> openid.sreg.optional: email,country<br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre>2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to <a href="https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE" target="_blank">https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>%252b</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%<a href="http://2fopenid.net" target="_blank">2fopenid.net</a>%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%<a href="http://2fnerdbank.org" target="_blank">2fnerdbank.org</a>%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry<br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre> </pre><pre>2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:<br>
<br>
</pre><pre> ReturnUrl: /rp/MembersOnly/Default.aspx<br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> token: ATjrrFUCgj1z1e2dmRTszTnE<span style="color: red;">4tB iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==<br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre> </pre><pre> OpenIdTextBox_UsePersistentCookie: False<br>
<br>
</pre><pre> openid.mode: id_res<br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.identity: <a href="http://openid.aol.com/webmyway" target="_blank">http://openid.aol.com/webmyway</a><br>
<br>
</pre><pre> openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D<br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.return_to: <a href="http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE" target="_blank">http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE</a><span style="color: red;">4tB<b>+</b>iV9nz</span>Te78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False<br>
<br>
</pre><pre> </pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.signed: identity,return_to<br>
<br>
</pre><pre> openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=<br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre> openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=<br>
<br>
</pre><pre><br>
<br>
</pre><pre> </pre><pre><br clear="all">
</pre>
<p>--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire</p>
<div>
<div>
<p style="margin-bottom: 12pt;"> </p>
<div>
<p>On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <<a href="mailto:jnylund@yahoo.com" target="_blank">jnylund@yahoo.com</a>>
wrote:</p>
<p style="margin-bottom: 12pt;"><br>
Hey, anyone else having issues with AOL openid, as of today on my site I cant
use aol to login or signup, there is a problem with the token they are sending
over, havent had a chance to debug yet, just wondering if anyone else has seen?<br>
<br>
When I try using Andrews site I see same problem:<br>
<br>
Server Error in '/RP' Application.<br>
Invalid length for a Base-64 char array.<br>
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.<br>
<br>
Exception Details: System.FormatException: Invalid length for a Base-64 char
array.<br>
<br>
Source Error:<br>
<br>
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can be
identified using the exception stack trace below.<br>
<br>
Stack Trace:<br>
<br>
[FormatException: Invalid length for a Base-64 char array.]<br>
System.Convert.FromBase64String(String s) +0<br>
DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
store) in Token.cs:82<br>
DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
verifySignature) in AuthenticationResponse.cs:222<br>
DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
OpenIdRelyingParty.cs:294<br>
DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
OpenIdTextBox.cs:639<br>
System.Web.UI.Control.LoadRecursive() +47<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Control.LoadRecursive() +131<br>
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436<br>
<br>
<br>
<br>
thanks<br>
<span style="color: rgb(136, 136, 136);">Joel</span></p>
</div>
<p> </p>
</div>
</div>
</div>
<p> </p>
</div>
</div>
</div>
</div>
</div>
</div>
<p> </p>
</div>
</div>
</div>
</blockquote></div><br>