<html><head><base href="x-msg://550/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Changing openID to support artifact binding is a good long term solution. Though it is not without issues.<div><br></div><div>If RP's used SSL endpoints POST would not be an issue. (Yes artifact is better for mobile)</div><div><br></div><div>In the short term we can shorten AX URI, and get RP to use SSL.</div><div><br></div><div>The other alternative is to ban IE because it is the source of the 2K limit for GET.</div><div>Not a problem for FF or other browsers.</div><div><br></div><div>John B.</div><div><br><div><div>On 2010-01-27, at 8:08 PM, Brian Kissel wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Nat, I know you’ve been an advocate of artifact binding, what are your thoughts here?<o:p></o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">Cheers,<o:p></o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); "><br>Brian<o:p></o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">___________</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); "><o:p></o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); "><o:p> </o:p></span></b></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); "><a href="http://www.linkedin.com/pub/0/10/254" style="color: blue; text-decoration: underline; "><span style="color: rgb(0, 51, 204); ">Brian Kissel</span></a><o:p></o:p></span></b></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">CEO - JanRain, Inc.<o:p></o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); "><a href="mailto:bkissel@janrain.com" style="color: blue; text-decoration: underline; ">bkissel@janrain.com</a><o:p></o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">Mobile:<span class="Apple-converted-space"> </span></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">503.342.2668<span class="Apple-converted-space"> </span></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">| Fax:<span class="Apple-converted-space"> </span></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">503.296.5502<o:p></o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">519 SW 3rd Ave. Suite 600 Portland, OR 97204<o:p></o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); "><o:p> </o:p></span></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><b><i><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 204); ">Increase registrations, engage users, and grow your brand with RPX. Learn more at<span class="Apple-converted-space"> </span></span></i></b><b><i><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: red; "><a href="http://www.rpxnow.com/" style="color: blue; text-decoration: underline; "><span style="color: red; ">www.rpxnow.com</span></a><o:p></o:p></span></i></b></div></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; "><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>Allen Tom [mailto:atom@yahoo-inc.com]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Wednesday, January 27, 2010 3:02 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Brian Kissel; Andrew Arnott; John Bradley; Breno de Medeiros; specs<br><b>Cc:</b><span class="Apple-converted-space"> </span>Drebes, Larry; Ellin, Brian<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: Problem with nonces and HTTP GET<o:p></o:p></span></div></div></div><div style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 0.0001pt; "><o:p> </o:p></div><p class="MsoNormal" style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 12pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">At least with regards to HuffPo – we ended up removing attributes from the request to get under the 2KB url limit, which eliminated the security warning since we can return the response via GET instead of POST.<br><br>At least in the near term, I’d like to compact AX so that we can squeeze in more data – we should be able to do this for AX 1.1. OPs can also implement this internal artifact mechanism to switch from HTTPS to HTTP before returning the data.<span class="Apple-converted-space"> </span><br><br>In the longer term, some form of Artifact Binding would probably be better, but I guess this would take longer to implement.<br><br>Allen<br><br><br><br>On 1/22/10 10:59 AM, "Brian Kissel" <<a href="bkissel@janrain.com" style="color: blue; text-decoration: underline; ">bkissel@janrain.com</a>> wrote:</span><o:p></o:p></p><p class="MsoNormal" style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-top: 0in; margin-bottom: 12pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">+1 Allen, here’s what I get on HuffPo, not very compelling and probably a trigger to “Cancel” to most users. We need to fix this ASAP!<br> <br><span><image001.png></span><br> <br></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><br><span style="color: rgb(0, 51, 204); ">Cheers,<br><br>Brian<br><b>___________<br> <br>Brian Kissel <<a href="http://www.linkedin.com/pub/0/10/254" style="color: blue; text-decoration: underline; ">http://www.linkedin.com/pub/0/10/254</a>><span class="Apple-converted-space"> </span><br></b>CEO - JanRain, Inc.<br><a href="bkissel@janrain.com" style="color: blue; text-decoration: underline; ">bkissel@janrain.com</a><br>Mobile: 503.342.2668 | Fax: 503.296.5502<br>519 SW 3rd Ave. Suite 600 Portland, OR 97204<br> <br><b><i>Increase registrations, engage users, and grow your brand with RPX. Learn more at<span class="Apple-converted-space"> </span></i></b></span><b><i><span style="color: red; "><a href="http://www.rpxnow.com" style="color: blue; text-decoration: underline; ">www.rpxnow.com</a><span class="Apple-converted-space"> </span><<a href="http://www.rpxnow.com/" style="color: blue; text-decoration: underline; ">http://www.rpxnow.com/</a>><span class="Apple-converted-space"> </span><br></span></i></b><span style="color: rgb(31, 73, 125); "><br></span><br></span><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="openid-specs-bounces@lists.openid.net" style="color: blue; text-decoration: underline; ">openid-specs-bounces@lists.openid.net</a><span class="Apple-converted-space"> </span>[<a href="mailto:openid-specs-bounces@lists.openid.net" style="color: blue; text-decoration: underline; ">mailto:openid-specs-bounces@lists.openid.net</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Allen Tom<br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, January 22, 2010 10:43 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Andrew Arnott; John Bradley; Breno de Medeiros; specs<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: Problem with nonces and HTTP GET<br></span><br><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">The SSL security warning is a really terrible UX, and I agree that it doesn’t make sense to warn on POST but not on GET.<br><br>Yahoo is running into the 2KB limit (and the associated SSL warning) with alarming frequency and it’s really hurting OpenID relative to the proprietary SSO solutions.<span class="Apple-converted-space"> </span><br><br>For a real live example of how the giant AX names are hurting OpenID, see<span class="Apple-converted-space"> </span><a href="http://www.huffingtonpost.com" style="color: blue; text-decoration: underline; ">http://www.huffingtonpost.com</a><span class="Apple-converted-space"> </span>– click on the Login link, then the “Connect with Yahoo” button. This kicks off the Hybrid OpenID+Oauth+AX flow which requires a POST response – forcing the user to click through a security warning to complete the sign in flow. The non-OpenID SSO choices (Facebook/Twitter/GFC) do not have this issue.<br><br>With regards to changing browsers to not display SSL warnings for POST, or relying on smart OpenID clients – we really need a solution right now, since the proprietary alternatives are rapidly being adopted.<br><br>WRT the nonce – I think it would make more sense for RPs to just check the timestamp, and allow replay for a “narrow” window, like 10 minutes. There are many legitimate reasons why a request could be replayed – intermediate proxy servers might do weird things, the user might hit reload/back/forward etc.<br><br>Allen<br><br><br>On 1/22/10 10:06 AM, "Andrew Arnott" <<a href="andrewarnott@gmail.com" style="color: blue; text-decoration: underline; ">andrewarnott@gmail.com</a>> wrote:<br>Ideally we could use POST, but avoid the browser warning that information is crossing the SSL world into the non-SSL world. This might be arguable anyway since sending information can be done with GET or POST, so why warn for POST and not for GET? If we can get browsers to not warn for POST we're gold.<br><br>Alternatively, and perhaps more likely, if we're moving in the direction of smart client browser (plugins), and these have been shown to benefit from extensions to the OpenID spec, perhaps we can leverage these to always use POST without displaying the warning to the user somehow. <br>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br><br><br>On Fri, Jan 22, 2010 at 9:14 AM, John Bradley <<a href="john.bradley@wingaa.com" style="color: blue; text-decoration: underline; ">john.bradley@wingaa.com</a>> wrote:<br>The big problem with POST is RP's that use non-ssl endpoints.<span class="Apple-converted-space"> </span><br><br>One possibility is that the IdP could look at the return_to and discover if it is safe to use POST.<br><br>In SAML SSO POST is the most common way to return the token. <br><br>The other option is artifact binding. That way the nonce is not in the GET, though you probably wind up with the same effect if the RP tries to resolve the artifact more than once.<br><br>John B.<br>On 2010-01-22, at 12:39 PM, Andrew Arnott wrote:<br>HTTP GET is supposed to be completely effect-free on the server. But nonces in OpenID messages violate that aspect of the HTTP spec, since any subsequent GET with the same positive assertion will (or should) fail. I speculate that some random login failures on StackOverflow <<a href="http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583" style="color: blue; text-decoration: underline; ">http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583</a>> may be caused because a browser, an accelerator plugin, or a proxy attempted to repeat the assertion-carrying GET request (since that's supposed to be safe), and a subsequent request is the one whose response is displayed in the browser, failing user login.<br> <<a href="http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583" style="color: blue; text-decoration: underline; ">http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583</a>><span class="Apple-converted-space"> </span><br>POST is a better fit with the HTTP spec for how the message is actually processed on the server. I know lately we've been looking for ways to cram more data into < 2KB payloads so we can get off POST and onto GET since the user experience is better. But I wonder if we can put our heads together and figure out how to have our cake and eat it too with this nonce problem. This error doesn't come up often, but it can come up, apparently does come up, and is a natural side-effect of the way OpenID communicates.<br><br>Any ideas?<br><br>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>_______________________________________________<br>specs mailing list<br><a href="specs@lists.openid.net" style="color: blue; text-decoration: underline; ">specs@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs" style="color: blue; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs</a></span><o:p></o:p></p><div class="MsoNormal" align="center" style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; text-align: center; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><hr size="3" width="95%" align="center"></span></div><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; margin-bottom: 12pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><br></span><span style="font-size: 10pt; font-family: Consolas; ">_______________________________________________<br>specs mailing list<br><a href="specs@lists.openid.net" style="color: blue; text-decoration: underline; ">specs@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs" style="color: blue; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs</a></span><o:p></o:p></p></div></div></span></blockquote></div><br></div></body></html>