<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Menlo;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoPlainText"><span style="color:#1F497D">Can you guys retest this? Roland believes that he’s fixed
</span><a href="https://bitbucket.org/openid/certification/issue/100/op-test-server-not-including-intermediate">https://bitbucket.org/openid/certification/issue/100/op-test-server-not-including-intermediate</a><span style="color:#1F497D">.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="color:#1F497D"> Thanks,<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-ab [mailto:openid-specs-ab-bounces@lists.openid.net]
<b>On Behalf Of </b>Mike Jones<br>
<b>Sent:</b> Tuesday, March 17, 2015 8:52 AM<br>
<b>To:</b> John Bradley; Justin Richer<br>
<b>Cc:</b> openid-specs-ab@lists.openid.net Ab<br>
<b>Subject:</b> Re: [Openid-specs-ab] Certificates on Certification Site<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">File a bug at
<a href="https://bitbucket.org/openid/certification/issues?status=new&status=open">
https://bitbucket.org/openid/certification/issues?status=new&status=open</a> asking Roland to add the intermediate cert to what’s returned.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-ab [mailto:openid-specs-ab-bounces@lists.openid.net]
<b>On Behalf Of </b>John Bradley<br>
<b>Sent:</b> Tuesday, March 17, 2015 8:42 AM<br>
<b>To:</b> Justin Richer<br>
<b>Cc:</b> openid-specs-ab@lists.openid.net Ab<br>
<b>Subject:</b> Re: [Openid-specs-ab] Certificates on Certification Site<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">The server is not including the intermediate EV certificate authority from Symantec.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">The server returns:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">openssl s_client -showcerts -connect
<a href="http://op.certification.openid.net">op.certification.openid.net</a>:60054<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">CONNECTED(00000003)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street
= 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN =
<a href="http://op.certification.openid.net">op.certification.openid.net</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">verify error:num=20:unable to get local issuer certificate<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">verify return:1<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2158113, C = US, postalCode = 94043, ST = California, L = Mountain View, street
= 350 Ellis Street, O = Symantec Corporation, OU = Cloud Platform Engineering, CN =
<a href="http://op.certification.openid.net">op.certification.openid.net</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">verify error:num=21:unable to verify the first certificate<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">verify return:1<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">---<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">Certificate chain<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo"> 0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec
Corporation/OU=Cloud Platform Engineering/CN=<a href="http://op.certification.openid.net">op.certification.openid.net</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo"> i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">-----BEGIN CERTIFICATE-----<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">MIIHKjCCBhKgAwIBAgIQDRyJD75wYaMnuXDaL8O5CjANBgkqhkiG9w0BAQsFADB3<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMjE3MDAwMDAwWhcNMTcwMjE3<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">MjM1OTU5WjCCATAxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">MSMwIQYDVQQLDBpDbG91ZCBQbGF0Zm9ybSBFbmdpbmVlcmluZzEkMCIGA1UEAwwb<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">b3AuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOC<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">AQ8AMIIBCgKCAQEAy18YtrcaXsiPUjBvA5YmdIysHXoYJc++06Eg3MTlwW1tRBh9<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">axi5XHWmBFm1g5AWXkcf3vFweGXqcKOeZ0UPNVxDU0Wsn7TScaVcxRk2gdLkoVX9<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">R9wPY3KNEaHsTx7rMOrIrdbeMuHPgMrSp2ovLWeJq5mARdyxjeTjp73VJPoDQADF<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">qO74cmoL/EyUqy/MYmDIgGG7SAl8i2QOPP0NQmZJpAmghG8aL1WDUac5T8qkAlj7<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">AUkOPW3gSdWkgf1XjXLPqzvjBCv7E+WiubTSYwxSWKSV+xIUrJskTt9MpHSpfA5i<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">tn6ySTtSKEFcYffzqL0gmr+CZXxjf6I4RNlnfQIDAQABo4IC9TCCAvEwJgYDVR0R<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">BB8wHYIbb3AuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0MAkGA1UdEwQCMAAwDgYD<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBmBgNV<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">HSAEXzBdMFsGC2CGSAGG+EUBBxcGMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5z<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">eW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20v<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">cnBhMB8GA1UdIwQYMBaAFAFZq+fdOgtZpmRj1s8gB1fVkedqMCsGA1UdHwQkMCIw<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">IKAeoByGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3JsMFcGCCsGAQUFBwEBBEsw<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">STAfBggrBgEFBQcwAYYTaHR0cDovL3NyLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYa<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">aHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcnQwggF8BgorBgEEAdZ5AgQCBIIBbASC<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">AWgBZgB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABS5mVPBQA<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">AAQDAEYwRAIgEWZrnpfk5KxkNOS2fAJhejH7FNruS7AY17KxeBM+FjACIGoT8y58<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">cEzct7HRIkGqPjRvTe1WcMoB2luFC8+wQoW1AHUAVhQGmi/XwuzT9eG9RLI+x0Z2<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">ubyZEVzA75SYVdaJ0N0AAAFLmZU+JAAABAMARjBEAiA+wsXCQI7RcfLTuLD9PfqM<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">oJxL46fdGtqHFETTmwgopwIgWWlV/j9DRXnpzZFERVrnhICUzaie7SpfPcJUs48u<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">QzUAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAUuZlTwIAAAE<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">AwBHMEUCIQCOjiOcSMRuCtHwsQIHGyynPhmceRZU6TtAb587tO7JZwIgSUJ8PGM8<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">XQ/CEIiSGuLwG/SdiyEBKgqO69iylnty8rQwDQYJKoZIhvcNAQELBQADggEBAJcQ<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">0bVMn5JBaUzxknIj8K5pAbetQZaF8dvjnylZrcytfrDB/RBYPhUC3mpS1YB47Oqf<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">F9oBjSA+fqWlgF/qKBEDF3bz7cAsGKQmrICnZzXGncyH6IXXbkDnXT+nDwYPln1V<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">HNvBrs7ImTFpvcpFdksNKFfM/fh+DfChWU4+817AMdSWf4RO/gfEAv7FAd3qV4fR<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">3U1vDvDp4bJB4gCSKjXCecQfJI5iAVSU/SgggjMXybCLXvxcRpQ0U6uBq3vHjao1<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">t1fK0yP5f4wdxaC2nDn+d6Q1RoXstorgTF8ysVLTnE2iKjoWzjlf4M/AO/ckcmW8<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">0DKvHlqA2G04svnXScY=<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">-----END CERTIFICATE-----<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">---<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">Server certificate<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">subject=/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec
Corporation/OU=Cloud Platform Engineering/CN=<a href="http://op.certification.openid.net">op.certification.openid.net</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">---<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">No client certificate CA names sent<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">---<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">SSL handshake has read 2151 bytes and written 680 bytes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo">---<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Mar 16, 2015, at 9:36 PM, Justin Richer <<a href="mailto:jricher@MIT.EDU">jricher@MIT.EDU</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">During the OP testing, in order to get the jwks_uri tests to pass, I had to add the certificate for <a href="https://op.certification.openid.net:60054/export/jwk_60054.json">https://op.certification.openid.net:60054/export/jwk_60054.json</a> to
the Java keystore on our server before it was able to read the URL properly. I visited the URL directly in Firefox, exported the cert from there in PEM format, then imported it into Tomcat’s keystore and restarted the server. From that point, the test ran
fine. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">I haven’t looked too hard into the cause of this, since the workaround seemed to do its job. I don’t know if there’s something that can be done on the server side to mitigate this, though Brian was under the impression that it was missing
the intermediary certificate and that might help things. Interestingly, doing interop testing of our RP with several other servers also gives SSL errors of various flavors, so I’m largely chalking this up to bad client-side SSL support on the Java platform,
but others might run into something similar with the certification server. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> — Justin<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>