https:// urls as openid servers and/or identities?

Michael Krelin hacker at klever.net
Fri Jul 22 12:24:45 PDT 2005


For what I remember, I've seen check for '^http://' regex somewhere in
consumer perl sources, which, basically means that you shouldn't expect
it to work in the most cases. As I am new to the list, I can't tell why
such a limitation (although I do not remember this limitation pointed
out in specs), but in the real world it  makes sense, since most of the
sites can't afford recognizable certificate which means that their
functionality would depends on the UA security settings (many people use
MSIE nowadays, don't they?). The server side certificate-validation
policy for server-to-server operations isn't clear either.

As for security, while I wouldn't say the protocol is bulletproof, you
should not worry too much, for the protocol does provide some means of
security if you are willing to take the pain of implementing it.

Love,
Michael


> Hi,
> 
> I've been playing around with Taral's PHP OpenID server (with nandhp's 
> improvements), and it seems to show up a limitation in the implementations of 
> OpenID on LifeWiki, LiveJournal, and the Danga Demo page 
> (http://www.danga.com/openid/demo/demo.html) which bothers me somewhat...
> 
> It appears that these sites (the only ones I've tried so far) cannot use 
> secure pages as OpenID servers... 
> 
> Both LifeWiki and LiveJournal seem to be fine with https:// identities; they 
> give different errors for https://stobor.net/test/fred.html [No openid server 
> declared] and https://stobor.net/test/bob.html [openid server 
> https://stobor.net/test/index.php]
> 
> The Danga demo page is different in that it reports "bogus_url" for both those 
> identity pages (same behaviour for classic and AJAX), which leads me to 
> suspect that it doesn't support https:// identities...
> 
> One notable point is that LifeWiki actually gives slightly informative 
> messages from perl:
> 
> Using bob.html, I get
> The following errors occurred with your submission:
> * unable to determine claimed identity: url_fetch_error: Error fetching URL: 
> Can't locate Net/SSL.pm in @INC)
> * unable to determine OpenID verification URL
> 
> With fred.html, I get 
> The following errors occurred with your submission:
> * unable to determine claimed identity: url_fetch_error: Error fetching URL: 
> Can't locate object method "new" via package 
> "LWPx::Protocol::https_paranoid::Socket"
> * unable to determine OpenID verification URL
> 
> That complaint about Net/SSL.pm seems strange, given that it can apparently 
> read the SSL page to extract the server name...
> 
> Is there anything I'm doing wrong? (I don't have an http:// url I can mess 
> with handy - I'll check that out soon, though.) Or is it simply a matter of 
> fact that consumers don't do https:// and I have to live with it? It seems to 
> me that an authentication system would want to be at least potentially 
> secure, even if it's not widely used that way...
> 
> Cheers,
> 
> Allwyn.
> 
> -- 
> Allwyn Fernandes
> Director
> Stobor Pty Ltd
> 
> Mobile: + 61 414 470 392
> 
> 


More information about the yadis mailing list