<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>And w hat is “proper” use of https in openid
discovery?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Should a conforming OP doing SP discovery by pulling the XRDS
from an https endpoint be able to talk to an INDEPENDENT OCSP server that gives
reputation information on the server certs supplied?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In the “auto-connect” metadata model of Ping Identity
(which is like a polished version of openid’s SP/OP discovery), metadata very
similar to XRDS is obtained from (https) URLs bound (by websso switch configuration)
to the domain name of the email identifiers users enter at RPs. (This is
similar to how openiders enter URls/XRIs).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>To each websso-switch registered root cert (e.g. the server cert
from RapidSSL that is added to the switch’s root store) the switch administrator
configures a URL pointing to the reputation/validity server operated by the SSO
domain operator (not the CA/PKI, note). During https cert processing, the
switch uses the IETF’s OCSP protocol, enabling the websso switch to
determine the reputation of the cert, as adjuged by the SSO trust network.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This all works quite nicely with RPs that are doing SSL virtual
hosting. Depending on which trust network (OP->RP->OAUTH-SP) the RPs and
SPs are operating under, the RP component of an AC or SP would supply a
different SSL server cert …pointing to a different validation/reputation
server for that AC->SPs trust network.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>OpenID could standardize the kind of thing above, now - since it’s
all standard (but professional grade) https. We can’t just punt to
whatever some library maker in Debian did, though.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Nat Sakimura<br>
<b>Sent:</b> Tuesday, January 13, 2009 11:12 PM<br>
<b>To:</b> Dan Lyke<br>
<b>Cc:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] Trying to verify that my OpenID is valid<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>I'd fully support that. <br>
<br>
I was almost going to do the same for OpenID Japan. <br>
(Also testing for proper use of https etc.) <br>
<br>
=nat<o:p></o:p></p>
<div>
<p class=MsoNormal>On Wed, Jan 14, 2009 at 12:12 PM, Dan Lyke <<a
href="mailto:danlyke@flutterby.com">danlyke@flutterby.com</a>> wrote:<o:p></o:p></p>
<p class=MsoNormal>On Tue, 13 Jan 2009 18:31:08 -0800<o:p></o:p></p>
<div>
<p class=MsoNormal>Martin Atkins <<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>>
wrote:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>> Assuming we actually have
some tests to host, this is a great idea.<br>
><br>
> However, I'm not sure that we do, do we?<o:p></o:p></p>
</div>
<p class=MsoNormal>Some time a few years ago I wrote a pretty comprehensive
YADIS test,<br>
indirectly for VeriSign. I'll see if I can track down the legal state<br>
of that.<br>
<span style='color:#888888'><br>
Dan</span><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <br>
Nat Sakimura (=nat)<br>
<a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><o:p></o:p></p>
</div>
</div>
</body>
</html>