Hi André,<div><br></div><div>I've finally getting around to writing those UTF-8 signature tests you asked for. It occurs to me that the only place it matters is in an OP positive assertion sent via POST. Query strings have very strict rules about allowable characters and UTF-8 characters will have to be properly escaped for query string transport, which eliminates any signature issues. POST however, I think are more capable of carrying UTF-8 payloads. So I'm designing the UTF-8 signature test to verify that OPs properly sign a positive assertion from an RP that intentionally encourages the OP to use POST instead of GET.</div>
<div><br></div><div>If you think I'm missing something please let me know.</div><div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Mon, Jun 1, 2009 at 8:18 AM, André Cruz <span dir="ltr"><<a href="mailto:andre.cruz@co.sapo.pt">andre.cruz@co.sapo.pt</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">Great suite of tests, Andrew.<div><br><div><div class="im"><div>On Jun 1, 2009, at 14:41 , Andrew Arnott wrote:</div><br><blockquote type="cite">Although I've not been able to reproduce the problem yet, I did add a few POST interop tests to the OSIS site. Can you test against that and if you can repro it give me instructions to do so?<br>
<img src="http://test-id.org/WebResource.axd?d=C0i47w4pp3P2MehBosbEoJlshiLltatA1NWrQaJxWjw1&t=633724559338002837" alt=""><a href="http://test-id.org/RP/POSTAssertion.aspx" target="_blank">RP accepts POST assertion</a><br>
</blockquote><div><br></div></div>Google/Blogger comments FAIL.</div><div><br></div><div>You can try to post a comment <a href="http://ljsapo.blogspot.com/2007/02/teste-para-tags.html#comments" target="_blank">http://ljsapo.blogspot.com/2007/02/teste-para-tags.html#comments</a></div>
<div>Choose openid, fill captcha, result: Your OpenID credentials could not be verified.</div><div><br></div><div><br></div><div>SourceForge login FAIL</div><div><br></div><div><a href="https://sourceforge.net/account/login.php" target="_blank">https://sourceforge.net/account/login.php</a></div>
<div><br></div><div>Error: Could not verify your OpenID. Please try again.</div><div><br></div><div><br></div><div>Plaxo OK</div><div><br></div><div><a href="https://www.plaxo.com/openid?r=%2Fevents" target="_blank">https://www.plaxo.com/openid?r=%2Fevents</a></div>
<div><br></div><div><br></div><div><div class="im"><blockquote type="cite"> <img src="http://test-id.org/WebResource.axd?d=C0i47w4pp3P2MehBosbEoJlshiLltatA1NWrQaJxWjw1&t=633724559338002837" alt=""><a href="http://test-id.org/OP/POSTRequests.aspx" target="_blank">OP accepts POSTed authentication requests</a><br>
</blockquote><div><br></div></div><div>myopenid OK</div><div class="im"><div><br></div><br><blockquote type="cite"> <img src="http://test-id.org/WebResource.axd?d=C0i47w4pp3P2MehBosbEoJlshiLltatA1NWrQaJxWjw1&t=633724559338002837" alt=""><a href="http://test-id.org/OP/POSTAssertion.aspx" target="_blank">OP sends large assertions as POST</a><br>
</blockquote><div><br></div></div></div>myopenid OK</div><div><br></div><div>Can you make one that exercises the UTF-8 encoding of attributes (SREG and AX)? Both in the OP (to check the signature generated) and in the RP (to check the signature verification).</div>
<div><br></div><div>Thanks,</div><div>André</div><font color="#888888"><div><br></div></font></div></blockquote></div><br></div>