https:// urls as openid servers and/or identities?

Mr Allwyn Fernandes afyadis at stobor.net
Fri Jul 22 01:07:28 PDT 2005 

Hi,

I've been playing around with Taral's PHP OpenID server (with nandhp's 
improvements), and it seems to show up a limitation in the implementations of 
OpenID on LifeWiki, LiveJournal, and the Danga Demo page 
(http://www.danga.com/openid/demo/demo.html) which bothers me somewhat...

It appears that these sites (the only ones I've tried so far) cannot use 
secure pages as OpenID servers... 

Both LifeWiki and LiveJournal seem to be fine with https:// identities; they 
give different errors for https://stobor.net/test/fred.html [No openid server 
declared] and https://stobor.net/test/bob.html [openid server 
https://stobor.net/test/index.php]

The Danga demo page is different in that it reports "bogus_url" for both those 
identity pages (same behaviour for classic and AJAX), which leads me to 
suspect that it doesn't support https:// identities...

One notable point is that LifeWiki actually gives slightly informative 
messages from perl:

Using bob.html, I get
The following errors occurred with your submission:
* unable to determine claimed identity: url_fetch_error: Error fetching URL: 
Can't locate Net/SSL.pm in @INC)
* unable to determine OpenID verification URL

With fred.html, I get 
The following errors occurred with your submission:
* unable to determine claimed identity: url_fetch_error: Error fetching URL: 
Can't locate object method "new" via package 
"LWPx::Protocol::https_paranoid::Socket"
* unable to determine OpenID verification URL

That complaint about Net/SSL.pm seems strange, given that it can apparently 
read the SSL page to extract the server name...

Is there anything I'm doing wrong? (I don't have an http:// url I can mess 
with handy - I'll check that out soon, though.) Or is it simply a matter of 
fact that consumers don't do https:// and I have to live with it? It seems to 
me that an authentication system would want to be at least potentially 
secure, even if it's not widely used that way...

Cheers,

Allwyn.

-- 
Allwyn Fernandes
Director
Stobor Pty Ltd

Mobile: + 61 414 470 392

More information about the yadis mailing list