IRC Log for #openid on 2009-01-12

Timestamps are in UTC.

  1. [00:54:08] * nor3|brb is now known as nor3
  2. [01:05:38] * samsm (n=samsm@c-98-242-68-134.hsd1.ga.comcast.net) Quit (kubrick.freenode.net irc.freenode.net)
  3. [01:05:38] * NetersLandreau (n=NetersLa@b2.e6.354a.static.theplanet.com) Quit (kubrick.freenode.net irc.freenode.net)
  4. [01:05:38] * shawn (n=shawn@208-78-98-92.slicehost.net) Quit (kubrick.freenode.net irc.freenode.net)
  5. [01:05:57] * samsm (n=samsm@c-98-242-68-134.hsd1.ga.comcast.net) has joined #openid
  6. [01:05:57] * shawn (n=shawn@208-78-98-92.slicehost.net) has joined #openid
  7. [01:05:57] * NetersLandreau (n=NetersLa@b2.e6.354a.static.theplanet.com) has joined #openid
  8. [01:07:40] * xpo (n=xpo@bgl93-2-82-226-41-47.fbx.proxad.net) has joined #openid
  9. [01:09:56] <nor3> i'm confused :(
  10. [01:10:05] <nor3> what exactly does the "discovery" stage achieve?
  11. [01:10:33] <samsm> It detects delegation, for one.
  12. [01:11:03] <nor3> hmm
  13. [01:11:17] <samsm> Like look at the header here: http://samsm.com
  14. [01:11:38] <nor3> i see
  15. [01:11:45] <samsm> That says, yes, this is samsm.com, but use samsm.myopenid.com for the OpenID verification instead.
  16. [01:11:59] <nor3> ok..
  17. [01:12:43] <nor3> this is probably unrelated, but what's the difference between "identity" and "claimed_id" arguments given to the return_to address?
  18. [01:13:16] <samsm> If I ever knew, I don't remember. :)
  19. [01:13:22] <nor3> :\
  20. [01:13:32] <samsm> Are they the same typically for you?
  21. [01:13:39] <samsm> What does the spec say?
  22. [01:13:47] <nor3> i'm trying to look it up
  23. [01:13:53] <nor3> i'm just getting into this, sorry
  24. [01:14:11] <nor3> yeah they are the same so far as i've seen
  25. [01:14:16] <samsm> Oh, that's all good, I'm sure someone else would know that off the top of their head.
  26. [01:17:25] <nor3> it might bve some backwards compatibility thing
  27. [01:19:23] * jaguarandi (n=darkaj@85.138.59.241) Quit (Read error: 113 (No route to host))
  28. [01:21:09] <nor3> i guess i'm also confused a bit about how the user is prevented for forging a message from the provider
  29. [01:22:17] <samsm> The relying party passes the provider a secret message that the provider forwards back with the user.
  30. [01:22:21] <nor3> the relying party and the provider agree on a way to generate nonces,
  31. [01:22:27] <nor3> ok
  32. [01:22:34] <nor3> yeah
  33. [01:23:28] <nor3> ok. i guess it's coming together for me. thanks
  34. [01:24:15] <samsm> That's my understanding at least ... I think it is at least accurate in principle.
  35. [01:25:07] <nor3> yeah. there's also a "stateless mode" for rps that can't store associations
  36. [01:27:53] <samsm> Heh, yeah, I've read about that, but never bothered to understand how it works.
  37. [01:28:06] <samsm> I don't think it is used much.
  38. [01:44:46] * ignaciogggg (n=ignaciog@host7.190-137-194.telecom.net.ar) has joined #openid
  39. [01:46:36] <nor3> hmmm, how does the op mediate allowing the rp to "remember me"?
  40. [01:47:01] * sarfaraz (n=crazysar@59.165.1.197) has joined #openid
  41. [01:47:38] <sarfaraz> ok I m using the simpleopenid class from phpclasses with yadis for yahoo open id support.
  42. [01:47:44] <sarfaraz> got most of thigns fixed.
  43. [01:47:53] <sarfaraz> but can't get one error fixed.
  44. [01:48:08] <sarfaraz> A PHP Error was encountered
  45. [01:48:08] <sarfaraz> Severity: Warning
  46. [01:48:08] <sarfaraz> Message: Invalid argument supplied for foreach()
  47. [01:48:08] <sarfaraz> Filename: Yadis/XML.php
  48. [01:48:08] <sarfaraz> Line Number: 332
  49. [01:48:21] <sarfaraz> can someone here help me with this.
  50. [01:54:21] <nor3> that's funny, i'm trying to get openid working too
  51. [01:54:40] <nor3> oh wait
  52. [01:54:47] <nor3> i thought this was also in #appengine, haha
  53. [01:54:53] <nor3> i guess that's not such a coincidence
  54. [01:55:29] <nor3> sounds like the openid providers response can't be parsed by your yadis xml parser
  55. [01:55:40] <nor3> which op are you testing on, and have you tried any other?
  56. [01:56:35] <sarfaraz> I m trying yahoo ... AOL works gr8
  57. [02:01:06] <_keturn> openid.identity is the field that was in the v1 spec, and is the "OP-Local Identifier," the identifier that that OP ties to that account. It's what's in the openid.delegate or openid2.local_id discovery fields.
  58. [02:02:31] <_keturn> whereas openid.claimed_id is the identifier in the global namespace that you did discovery on and are wanting an assertion for. These are often the same thing, but may be different in cases of delegation or XRI
  59. [02:15:51] * sarfaraz (n=crazysar@59.165.1.197) Quit ()
  60. [02:46:36] * metadaddy (n=metadadd@c-76-102-102-87.hsd1.ca.comcast.net) has joined #openid
  61. [02:55:57] * ignaciogggg (n=ignaciog@host7.190-137-194.telecom.net.ar) Quit ()
  62. [02:56:28] <nor3> _keturn: so if i'm only dealing wiht v2 ops, i can ignore the openid.identity?
  63. [02:56:47] <nor3> i'm not sure what "an assertion" means :\
  64. [02:57:03] <nor3> oh
  65. [02:57:17] <nor3> a message sent to the rp via the user agent using a nonce?
  66. [02:58:35] * ignaciogggg (n=ignaciog@host7.190-137-194.telecom.net.ar) has joined #openid
  67. [03:01:58] <nor3> i'm still not sure whether the .claimed_id or .identity should be used as the unique "openid"
  68. [03:11:09] <_keturn> claimed_id is the openid, but you may well have to use both in order to verify the assertion
  69. [03:11:57] <nor3> in what case?
  70. [03:13:00] * metadaddy (n=metadadd@c-76-102-102-87.hsd1.ca.comcast.net) Quit ()
  71. [03:13:30] <nor3> gah, i'm still confused about how messages from the op are securely handed to the rp via the user
  72. [03:13:45] <nor3> there doesnt' seem to be a signature "hash" of the message
  73. [03:14:30] <nor3> oh wait, is that what openid.assoc_handle is?
  74. [03:15:51] <nor3> oh, no
  75. [03:15:53] <nor3> it's openid.sig
  76. [03:15:56] <nor3> how silly of me
  77. [03:16:11] <nor3> it's hard to read urls sometimes :P
  78. [03:16:49] <nor3> so if the claimed_id is signed
  79. [03:17:02] <nor3> why would i still need the .identity to verify the assertion?
  80. [03:30:11] * tbbrown (n=tom@cpe-70-112-238-189.austin.res.rr.com) has joined #openid
  81. [03:38:36] * metadaddy (n=metadadd@c-76-102-102-87.hsd1.ca.comcast.net) has joined #openid
  82. [03:50:24] <_keturn> hmm, now I'm having trouble coming up with an exploit for the scenario where you don't verify the op-local ID, as long as you _do_ verify the op_endpoint and the sig checks out
  83. [03:52:02] * metadaddy (n=metadadd@c-76-102-102-87.hsd1.ca.comcast.net) Quit ()
  84. [03:52:18] <_keturn> so I'm not sure it's exploitable, but if I claim keturn.net and the discovery information there says openid2.local_id is keturn.myopenid.com but the id_res message says it's crax0r.myopenid.com, something is fishy
  85. [04:03:50] <nor3> man this is confusing :P
  86. [04:04:31] <nor3> i mean, the id_res message is signed through the rp-op association, right?
  87. [04:04:47] <nor3> so the only way it could be fishy is if the association is compromised?
  88. [04:04:51] <nor3> *sigh*
  89. [04:05:11] <nor3> another question: is there any sense in which the op controls signing out of the rp?
  90. [04:05:45] <nor3> or, is it safe for me to associate a user-agent with an openid through a session_key cookie?
  91. [04:06:13] <nor3> i just ask because google and yahoo both ask if i want to allow the rp to "remember me"
  92. [04:11:59] * josephholsten (n=joseph@ip68-0-70-106.tu.ok.cox.net) Quit ()
  93. [04:20:37] <samsm> Yeah, you want to use a session of some sort so you don't have to re-ask the provider to confirm an identity each request.
  94. [04:21:59] <samsm> The provider level "remember me" is a trust issue ... "is it ok to tell this relying party I have this identity? never, always, just this once"
  95. [04:25:11] * jcrosby (n=jon@astound-66-234-216-247.ca.astound.net) has joined #openid
  96. [04:28:01] * devlindaley (n=devlin@cddaley.fttp.xmission.com) has joined #openid
  97. [04:44:34] <nor3> oh
  98. [04:45:19] <nor3> samsm: so if you respond: always, the op will automatically redirect you back to the rp with the is_res message if it has already authenticated you?
  99. [04:47:04] <samsm> It will be as if the person clicked "approve".
  100. [05:14:30] * devlindaley_ (n=devlin@cddaley.fttp.xmission.com) has joined #openid
  101. [05:29:57] * devlindaley (n=devlin@cddaley.fttp.xmission.com) Quit (Read error: 110 (Connection timed out))
  102. [05:37:52] * jcrosby (n=jon@astound-66-234-216-247.ca.astound.net) Quit ()
  103. [05:43:19] * jcrosby (n=jon@astound-66-234-216-247.ca.astound.net) has joined #openid
  104. [06:14:39] * devlindaley_ (n=devlin@cddaley.fttp.xmission.com) Quit ()
  105. [06:24:44] * ignaciogggg (n=ignaciog@host7.190-137-194.telecom.net.ar) Quit ()
  106. [07:40:29] * stub (n=stub@ppp-58-8-2-221.revip2.asianet.co.th) has joined #openid
  107. [07:44:40] * bortzmeyer (i=bortzmey@batilda.nic.fr) has joined #openid
  108. [08:11:08] * jcrosby (n=jon@astound-66-234-216-247.ca.astound.net) Quit ()
  109. [08:27:50] * xpo (n=xpo@bgl93-2-82-226-41-47.fbx.proxad.net) Quit ()
  110. [08:32:38] * tjohns_ (n=trevorjo@adsl-69-228-171-34.dsl.snfc21.sbcglobal.net) has joined #openid
  111. [08:33:25] * tjohns__ (n=trevorjo@72.14.224.1) has joined #openid
  112. [08:33:34] * tjohns__ (n=trevorjo@72.14.224.1) Quit (Remote closed the connection)
  113. [08:42:09] * tjohns_ (n=trevorjo@adsl-69-228-171-34.dsl.snfc21.sbcglobal.net) Quit (Read error: 145 (Connection timed out))
  114. [09:10:39] * jaguarandi (n=darkaj@85.138.59.241) has joined #openid
  115. [09:17:42] * MrTopf (n=cs@p5B395B15.dip.t-dialin.net) has joined #openid
  116. [09:19:04] * xpo (n=xpo@nat/af83/x-0a385d8ee3602b78) has joined #openid
  117. [09:21:21] * MrTopf (n=cs@p5B395B15.dip.t-dialin.net) Quit (Client Quit)
  118. [09:21:24] * MrTopf (n=cs@p5B395B15.dip.t-dialin.net) has joined #openid
  119. [09:35:40] * xpo_air (n=xpo@nat/af83/x-d3b557ef3c75240a) has joined #openid
  120. [09:46:06] * xpo (n=xpo@nat/af83/x-0a385d8ee3602b78) Quit (Read error: 113 (No route to host))
  121. [09:53:52] * quik__ (n=ben@c210-49-204-148.thoms2.vic.optusnet.com.au) has joined #openid
  122. [09:53:58] <quik__> hey folks
  123. [09:54:05] <quik__> anyone familiar with the yahoo implementation of openid?
  124. [09:54:34] <quik__> basically, I'm requesting a flickr openid account and yahoo returns the yahoo openid unless someone changes the setting
  125. [09:54:48] <quik__> wondering if you can query for other ids that are usable?
  126. [10:34:59] * quik__ (n=ben@c210-49-204-148.thoms2.vic.optusnet.com.au) Quit ()
  127. [11:00:39] * xpo_air (n=xpo@nat/af83/x-d3b557ef3c75240a) Quit ()
  128. [11:18:34] * tbbrown (n=tom@cpe-70-112-238-189.austin.res.rr.com) Quit ("leaving")
  129. [11:32:43] * quik__ (n=ben@c210-49-204-148.thoms2.vic.optusnet.com.au) has joined #openid
  130. [12:49:24] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) Quit ()
  131. [13:11:36] * xpo (n=xpo@nat/af83/x-fffb2bff87d0399d) has joined #openid
  132. [13:27:39] * stub (n=stub@canonical/launchpad/stub) Quit ("Leaving.")
  133. [13:27:48] * stub (n=stub@ppp-58-8-2-221.revip2.asianet.co.th) has joined #openid
  134. [13:27:50] * tjohns (n=tjohns@adsl-69-228-171-34.dsl.snfc21.sbcglobal.net) Quit ()
  135. [14:06:53] <quik__> is there any way to insist which open id url should be returned from an openid server?
  136. [14:20:44] * elliottcable (n=ec@ec2-75-101-138-129.compute-1.amazonaws.com) Quit (SendQ exceeded)
  137. [14:21:16] * MacTed (n=Thud@63.119.36.36) has joined #openid
  138. [14:54:24] * devlindaley (n=devlin@cddaley.fttp.xmission.com) has joined #openid
  139. [14:58:42] * devlindaley (n=devlin@cddaley.fttp.xmission.com) Quit (Client Quit)
  140. [15:16:00] * quik__ (n=ben@c210-49-204-148.thoms2.vic.optusnet.com.au) Quit ()
  141. [15:20:52] * metadaddy (n=metadadd@c-76-102-102-87.hsd1.ca.comcast.net) has joined #openid
  142. [15:22:56] * daleolds (n=daleolds@206.81.133.96) has joined #openid

These logs were automatically created by OpenIDlogbot on chat.freenode.net using a modified version of the Java IRC LogBot.