<html><head><base href="x-msg://362/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">At some point we need to deal with this issue of step up authentication.<div><br></div><div>When a user with a http: URI turns up at a site with the https: scheme.</div><div><br></div><div>RP's are expressly forbidden from treating them as equivalent by openID 2.0.</div><div><br></div><div>Finding a way to allow RPs to migrate users from http to https seems a reasonable goal.</div><div><br></div><div>Going the other way should be precluded.</div><div><br></div><div>The RP at the moment is required to normalize to http if the user is not explicit.</div><div><br></div><div>There are a bunch of things that are leading security to be lowest common denominator.</div><div><br></div><div>I am hoping that some of the things in the GSA profile will get people thinking about some of the issues.</div><div><br></div><div>John B.</div><div><br></div><div><br><div><div>On 2009-09-17, at 12:58 PM, Steven Livingstone Pérez wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="hmmessage" style="font-size: 10pt; font-family: Verdana; ">I recently had this issue and decided to drop http and use https exclusively.<br><br>Inconvenience for some but solves a lot of potential pain. In addition I allow 'linking' of other OpenID's so you can use others if you wish. On my site it is now all SSL.<br><br>BUT I'm not AOL and appreciate your pain given the pain I went through.<br><br>steven<br><a href="http://livz.org">http://livz.org</a><br><br>> Date: Thu, 17 Sep 2009 11:52:19 -0400<br>> From:<span class="Apple-converted-space"> </span><a href="mailto:gffletch@aol.com">gffletch@aol.com</a><br>> To:<span class="Apple-converted-space"> </span><a href="mailto:peterw@tux.org">peterw@tux.org</a><br>> CC:<span class="Apple-converted-space"> </span><a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>> Subject: Re: [OpenID] https discovery & login for AOL at long last?<br>><span class="Apple-converted-space"> </span><br>> Hi Peter,<br>><span class="Apple-converted-space"> </span><br>> A couple of things:) We are working on supporting https identifiers and<span class="Apple-converted-space"> </span><br>> from a directed-identity perspective, all pair-wise pseudonymous<span class="Apple-converted-space"> </span><br>> "OpenIDs" will be SSL. We are also working on resolving the SSL issue<span class="Apple-converted-space"> </span><br>> for<span class="Apple-converted-space"> </span><a href="http://openid.aol.com">openid.aol.com</a>, so that you can use<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><a href="https://openid.aol.com/identifier">https://openid.aol.com/identifier</a><span class="Apple-converted-space"> </span>as a valid OpenID. I can't promise any<span class="Apple-converted-space"> </span><br>> time lines (normal big company stuff) but this is a goal of our ongoing<span class="Apple-converted-space"> </span><br>> OpenID work.<br>><span class="Apple-converted-space"> </span><br>> We do have a "unique" problem (shared by a few other OPs) in that we<span class="Apple-converted-space"> </span><br>> have active users using http based OpenIDs at Relying Parties across the<span class="Apple-converted-space"> </span><br>> web. So we can't move to SSL only OpenIDs without breaking those<span class="Apple-converted-space"> </span><br>> customer's experience. I suspect that if you force all OpenIDs to be<span class="Apple-converted-space"> </span><br>> SSL, then a user's interaction with your site will work just fine.<br>><span class="Apple-converted-space"> </span><br>> I have heard a couple reasonable suggestions (notably Breno from Google)<span class="Apple-converted-space"> </span><br>> for helping to connect an https OpenID to an http one by leveraging the<span class="Apple-converted-space"> </span><br>> OpenID XRDS file retrievable over SSL. There are currently no<span class="Apple-converted-space"> </span><br>> "standards" around this, but I believe it is worth exploring. However,<span class="Apple-converted-space"> </span><br>> it would mean that RPs would need to do some extra work which is<span class="Apple-converted-space"> </span><br>> questionable.<br>><span class="Apple-converted-space"> </span><br>> Again, I can't promise dates, but this is on our roadmap:)<br>><span class="Apple-converted-space"> </span><br>> Thanks,<br>> George<br>><span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> John Bradley wrote:<br>> > Expect positive news from AOL.<br>> ><br>> > They have been working very hard behind the scenes.<br>> ><br>> > They have openID 2.0 RP support enabled on some of there sites.<br>> > They don't get proper credit for that.<br>> ><br>> > I can confirm that they are in testing for the GSA pilot as a openID<span class="Apple-converted-space"> </span><br>> > 2.0 OP.<br>> ><br>> > John B.<br>> > On 2009-09-16, at 5:27 PM, Peter Watkins wrote:<br>> ><br>> >> Wired says that the US federal governmment will soon let people<br>> >> log in to government Web sites with OpenID identifiers from a select<br>> >> few RPs, including AOL<br>> >><span class="Apple-converted-space"> </span><a href="http://www.wired.com/epicenter/2009/09/feds-embrace-openid/">http://www.wired.com/epicenter/2009/09/feds-embrace-openid/</a><br>> >><br>> >> The Wired article implies that AOL has https-only authentication<span class="Apple-converted-space"> </span><br>> >> enabled:<br>> >><br>> >> "These companies have undergone a certification process designed by the<br>> >> Information Card Foundation, the OpenID Foundation and the federal<br>> >> government that guarantees certain privacy safeguards. For instance,<br>> >> the sites have to use SSL to handle logins"<br>> >><br>> >> Does AOL finally have https-secured OpenID authentication? Perhaps with<br>> >> directed identity? The only way I know to use directed identity with AOL<br>> >> is via<span class="Apple-converted-space"> </span><a href="http://openid.aol.com/">http://openid.aol.com/</a>. That server does have a certificate<span class="Apple-converted-space"> </span><br>> >> installed,<br>> >> but the cert is for<span class="Apple-converted-space"> </span><a href="http://api.screenname.aol.com">api.screenname.aol.com</a>, and<span class="Apple-converted-space"> </span><br>> >><span class="Apple-converted-space"> </span><a href="https://api.screenname.aol.com/">https://api.screenname.aol.com/</a><br>> >> is not a valid URL for OpenID discovery.<br>> >><br>> >> Does this .gov news release herald a rebirth of AOL as an OpenID RP?<br>> >><br>> >> Thanks,<br>> >><br>> >> Peter<br>> >><br>> >> _______________________________________________<br>> >> general mailing list<br>> >><span class="Apple-converted-space"> </span><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>> >><span class="Apple-converted-space"> </span><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a><br>> ><br>> > _______________________________________________<br>> > general mailing list<br>> ><span class="Apple-converted-space"> </span><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>> ><span class="Apple-converted-space"> </span><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a><br>> ><br>><span class="Apple-converted-space"> </span><br>> --<span class="Apple-converted-space"> </span><br>> Chief Architect<br>> Identity Services, AOL<br>> Blog:<span class="Apple-converted-space"> </span><a href="http://practicalid.blogspot.com">http://practicalid.blogspot.com</a><br>><span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> _______________________________________________<br>> general mailing list<br>><span class="Apple-converted-space"> </span><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>><span class="Apple-converted-space"> </span><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a><br><br><hr>Ready for Fall shows? Use Bing to find helpful ratings and reviews on digital tv's.<span class="Apple-converted-space"> </span><a href="http://www.bing.com/shopping/search?q=digital+tv" s&form="MSHNCB&publ=WLHMTAG&crea=TEXT_MSHNCB_Vertical_Shopping_DigitalTVs_1x1'" target="_new">Click here.</a>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a><br></div></span></blockquote></div><br></div></body></html>