<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>dotnetOpenid accepted and processed the large assertion post
from myopenid (with a largish email address, forcing foreground communication
by HTTP POST). Unlike in the SAML websso world (which has long used the same
notion of auto-submit form event handlers firing on the onload event), the
browser here visibly flashes “press this button… if no javascript”.
I’ll assume this is a myopenid coding limitation, in how they formulated their
javascript. It really ought not to show.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Since you folk evidently understand what myopenid does right and
wrong about AX, any hints on how to now have the demo DotNetOpenID RP site
request an ax attribute (that myopenid can fulfill, and whose value I can set)?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Cambria","serif"'>Congratulations, <b>https://homepw.myopenid.com/</b>.
You have completed the OpenID login process. <o:p></o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Cambria","serif"'>In addition to authenticating you, your
OpenID Provider may have told us something about you using the Simple
Registration extension: <o:p></o:p></span></p>
<table class=MsoNormalTable border=0 cellpadding=0>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Nickname <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'></td>
</tr>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Email <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>-----BEGIN+CERTIFICATE-----%0d%0aMIIFVzCCAz%2bgAwIBAgIDBTfsMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv%0d%0ab3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ%0d%0aQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y%0d%0adEBjYWNlcnQub3JnMB4XDTA4MDUyMDE1NTI0NVoXDTEwMDUyMDE1NTI0NVowfjEL%0d%0aMAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD%0d%0aVQQKEwtDQWNlcnQgSW5jLjEXMBUGA1UEAxMOd3d3LmNhY2VydC5vcmcxITAfBgkq%0d%0ahkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD%0d%0aggEPADCCAQoCggEBAM3iqo3YIRO2BaAEEoZ%2fUi8efBtl44PlQO71ubOvhc7lMU%2fW%0d%0aSC%2fVuw36z6O8WwvX2Lgx2gwYwJ94JvyHCAmNNQc0ohHHk7jNOeOieJKBX3kwCPnQ%0d%0aSPQJpIZwR6gcpDsblEHADjq0Qugjdn5RTAg1v65xd8Y4yoalkETgtrncTZ1fkhpg%0d%0aAVEYcx38JeLL3IHoDgTQH%2bM29XyIN2NJEnClkdoGftZlPCKEvd36T%2fkl6vrEm0Vy%0d%0aZV9orUAKG116J%2bIwn%2bqFSgiz40gtDrpz9raEyixM72DqfY%2f4Gmgs1LrN19LEPu7u%0d%0aIGvs%2fV8FqZ5twpfdctZq0iaq9fIGvWa1q9quvC0CAwEAAaOB4jCB3zAMBgNVHRMB%0d%0aAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQB%0d%0aBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEFBQcBAQQnMCUwIwYIKwYB%0d%0aBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMFcGA1UdEQRQME6CDCouY2Fj%0d%0aZXJ0Lm9yZ4IKY2FjZXJ0Lm9yZ4IMKi5jYWNlcnQubmV0ggpjYWNlcnQubmV0ggwq%0d%0aLmNhY2VydC5jb22CCmNhY2VydC5jb20wDQYJKoZIhvcNAQEFBQADggIBABjbtGob%0d%0a4GSzxFLeOEAoBl6Znt0Dk2VhsZv6IrdvcpSrhnnHvPDRXi%2bls9mwOkRT4M%2b2E3L9%0d%0aIQhMfGMveB5Nf1pfLk%2bAPCQUjVNVe7kZrxsJ18YnjqPYM3hYi3Sr96U2ixNvIGi%2b%0d%0aVaBvx1FoxHdFyKF3k2eApVWngJnCxwk%2fN4QRFP6OGeimLlPAYhw0R6SBOyPdyx3g%0d%0aL6NMDOUi9%2frz7cCNzlC8oW3Wy9VpFZh2jDTTve0JouG9%2fY8T2CFJWyrneeajecNZ%0d%0a6QLD52O2TOQRgi2Ym31J3%2brxx3Ujep85FcC4mawwweYnU6LqQ032GuWbRU9p9Oqv%0d%0aWF4ZOOnLy2ZaQdfMRBZ7dy6Dhrj8tkOjNSC4MmJDDXL0lVo0HTCo1TDVMUWIIDaK%0d%0aBZd7%2bwyoR5SXUcsuKxXGKWm9CITNFCYZttPtwtS1yH8p5YNdfhkNlr4jscWDAL2g%0d%0agLEEyRraAYjUh6Uot7mmXM2%2bIgwJX1DrS39bWghqk0gRXrkvhtx18R08dnZDJZaV%0d%0aghynZb6PSFRXYLMOqb9Uzf8%2fre6iWXwUKbzUcT1ZL4spZktfvaCUQP9YqZVYfhJ7%0d%0aXXymJqnCuXpMxzMTxbvq6zROqyRqVS%2f1hZxHhh%2fkr%2bEiNxDSkv7CJtuYVuufZkr%2b%0d%0aDBInG0zsM0C9ajuawgX3vY%2bMMbeuDTQXPcg3%0d%0a-----END+CERTIFICATE----@rapattoni.com
<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>FullName <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'></td>
</tr>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Date of Birth <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'></td>
</tr>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Gender <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Male <o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Post Code <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>89436 <o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Country <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>US <o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Language <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'></td>
</tr>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>Timezone <o:p></o:p></span></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:"Cambria","serif"'>America/Los_Angeles
<o:p></o:p></span></p>
</td>
</tr>
</table>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Friday, January 02, 2009 9:05 PM<br>
<b>To:</b> Peter Watkins<br>
<b>Cc:</b> Martin Atkins; OpenID List<br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>As Peter said, RPs can already do whitelists/blacklists.
And DotNetOpenId in particular makes a web.config file very easily
include these whitelist/blacklists that can allow RPs to be selective about
which OP endpoints they'll permit. This config file can also enable the
RequireSsl mode that I've explained earlier.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>As far as a config file that modifies that web server's
approved CA list, it's definitely an interesting idea. But be aware that
doing this is a privileged operation in .NET, and that makes it impossible to
do any special HTTPS cert approval on shared hosting on which only partial
trust is allowed to the sites that run on them. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Fri, Jan 2, 2009 at 10:10 AM, Peter Watkins <<a
href="mailto:peterw@tux.org">peterw@tux.org</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>On Fri, Jan 02, 2009 at
11:08:39AM +0200, Martin Paljak wrote:<br>
<br>
> In real life most end user software do not check for the status of a<br>
> certificate (CRL/OCSP)<o:p></o:p></p>
</div>
<p class=MsoNormal>I suspect that claim is not true. IE7 on Vista and Firefox 3
default<br>
to using OCSP -- for instance, by the time I followed the recipe for<br>
the <a href="http://www.mozilla.com" target="_blank">www.mozilla.com</a> demo
of the cert that never should've been issued,<br>
Firefox 3's OCSP check rejected it.<o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
> I second here the questions often raised about CA-s by Peter Williams,<br>
> but the community has managed to subtly ignore the topic. "If there
is<br>
> a problem (which we don't believe there is) then this is for the PKI/<br>
> TLS/HTTPS guys to fix", "Just pay to a big company for your
certs",<br>
> "Apparently we use whatever CA certificates Debian uses" are all
signs<br>
> of delegating the problem somewhere else.<o:p></o:p></p>
</div>
<p class=MsoNormal>And why not delegate? TLS is a bedrock security technology
for current<br>
Web business -- from a simple Yahoo storefront to millionaires accessing<br>
their online brokerage accounts. A lot of business have a lot riding on<br>
TLS and https, and a lot of incentive to fix any problems. And we've seen<br>
them do just that. It's not perfect (I'm still peeved that Microsoft has<br>
effectively blocked attempts to give TLS RSA decent forward secrecy), but<br>
TLS is widely understood to be critically important, and people more<br>
influential than us, and smarter than me, are working on this stuff -- the<br>
improved OCSP support in Firefox and IE7 being a good illustration.<o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
> In addition to "lets just do what everybody else is doing"
OpenID<br>
> could provide additional mechanisms. I once suggested having a<br>
> separate configuration file and format for RP libraries to be able to<br>
> configure white/blacklists and OP certificates/CA-s checksums and<br>
> trust settings.<o:p></o:p></p>
</div>
<p class=MsoNormal>Nothing is stopping any RP from doing that. Shoot, that's
what Microsoft's<br>
HealthVault site has been doing for OpenID all along.<br>
<span style='color:#888888'><br>
-Peter</span><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>