IRC Log for #openid on 2009-06-26

Timestamps are in UTC.

  1. [00:02:02] * MacTed (n=Thud@ Quit (Read error: 110 (Connection timed out))
  2. [00:13:39] <flaccid> any ops: security update link in the topic is dead
  3. [00:22:23] * mosites (n=mosites@ has joined #openid
  4. [00:24:34] * shigeta ( has joined #openid
  5. [00:45:54] <keturn> huh. is down. I wonder what the story is behind that.
  6. [00:46:43] * keturn changes topic to ' || Got OpenID library questions? Check'
  7. [00:52:32] <flaccid> is that security thing a patch and is it in the latest lib versions ?
  8. [00:54:49] * jonny_ ( Quit (Read error: 110 (Connection timed out))
  9. [01:00:44] <keturn> it was an announcement of new lib versions a while back
  10. [01:01:21] <flaccid> so i'll take that as a yes :)
  11. [01:07:32] * mosites (n=mosites@ Quit ()
  12. [01:27:19] * xpo (n=xpo@bearstech/xpo) Quit ()
  13. [01:43:08] * daleolds (n=daleolds@ has left #openid
  14. [01:54:01] * xpo (n=xpo@bearstech/xpo) has joined #openid
  15. [01:55:41] * xpo (n=xpo@bearstech/xpo) Quit (Client Quit)
  16. [02:03:13] * singpolyma ( Quit ("Lost terminal")
  17. [02:14:04] * mosites ( has joined #openid
  18. [02:22:55] * singpolyma ( has joined #openid
  19. [02:26:16] * stub ( has joined #openid
  20. [03:02:11] * jonny ( has joined #openid
  21. [03:06:58] * singpolyma ( Quit (Read error: 60 (Operation timed out))
  22. [03:24:52] * daleolds ( has joined #openid
  23. [03:26:13] * daleolds ( has left #openid
  24. [03:59:33] <jonny> flaccid: to what domain are those cookies tied?
  25. [04:01:10] <flaccid> jonny the OPs . has to be otherwise it can't work and of course you can't do cross site/domain hijacking like that. so particularly if you have a fast connection the redirect will be fast and feel as though it just 'happens'
  26. [04:01:36] <jonny> hmm
  27. [04:01:53] <jonny> so with every page load the client browser has to do the roundtrip to the provider?
  28. [04:01:58] <flaccid> so that being said, whats the issue remaining ?
  29. [04:02:30] <flaccid> i believe so
  30. [04:02:37] <flaccid> we can test
  31. [04:04:05] <jonny> so you managed to log in once, and then keep the logged in session? I guess the example doesn't go that far
  32. [04:04:43] <flaccid> yes but like i said, its your OP that has the session/cookie
  33. [04:09:55] <jonny> ok
  34. [04:10:34] <jonny> so with every page load, what would be the steps to do the authorizing in the background?
  35. [04:10:48] <jonny> after getting the OK first time
  36. [04:12:56] <flaccid> i don't understand
  37. [04:14:37] <jonny> with the old style per-website login style, you log in once and then there's a session which makes it so you don't have to login all the time, until you logout/close browser/cookie runs out
  38. [04:14:56] <jonny> I'm looking for the same pattern here...
  39. [04:17:52] * singpolyma ( has joined #openid
  40. [04:20:12] <flaccid> yes that was what we just talked about
  41. [04:20:16] <flaccid> in firebug you can see the redirects
  42. [04:21:40] <flaccid> so i logged in first via the example rp i put up, i then went to and put in my id there, i see bottom left the redirect behaviour, i confirm i in firebug - 2x GET for
  43. [04:23:03] * shigeta_ ( has joined #openid
  44. [04:23:23] * jonny ( Quit (Remote closed the connection)
  45. [04:23:45] * jonny ( has joined #openid
  46. [04:23:50] <flaccid> wb
  47. [04:23:54] <flaccid> [14:21] <flaccid> yes that was what we just talked about
  48. [04:23:54] <flaccid> [14:21] <flaccid> in firebug you can see the redirects
  49. [04:23:55] <flaccid> [14:23] <flaccid> so i logged in first via the example rp i put up, i then went to and put in my id there, i see bottom left the redirect behaviour, i confirm i in firebug - 2x GET for
  50. [04:24:00] <jonny> so where is your consumer?
  51. [04:24:06] <jonny> Can I try it out?
  52. [04:24:11] <jonny> tx
  53. [04:26:03] * shigeta ( Quit (Read error: 60 (Operation timed out))
  54. [04:26:34] <flaccid> i messaged this stuff earlier, did you not get ?
  55. [04:27:17] <jonny> I'm don't think I follow
  56. [04:27:44] <flaccid> i just pm'd you
  57. [04:28:07] <flaccid> does chatzilla not support that or something ?
  58. [04:28:29] <flaccid> i don't get what you don't follow
  59. [04:29:05] <flaccid> [14:23] <flaccid> so i logged in first via the example rp i put up, i then went to and put in my id there, i see bottom left the redirect behaviour, i confirm i in firebug - 2x GET for - thus the single sign on via the session that is possible via the cookies my OP ( leaves
  60. [04:31:51] <jonny> im trying out using openid to login to stackoverflow now
  61. [04:32:02] <jonny> it prompts me to setup an account at
  62. [04:32:25] * flaccid nods
  63. [04:32:33] <jonny> I thought using the account from the other provider should be enough?
  64. [04:32:49] <flaccid> what account from what other provider?
  65. [04:32:56] <jonny> used myspace now
  66. [04:33:11] <jonny> mixi didn't work :-P
  67. [04:33:57] <flaccid> i don't use myspace and i don't even know what mixi is
  68. [04:35:38] <jonny> it should matter right?
  69. [04:36:00] <jonny> stackoverflow accepts my myspace login, and prompts me to create a new account
  70. [04:36:16] <jonny> then what's the difference from just creating an account at stackoverflow from the beginning?
  71. [04:36:45] <jonny> *shouldn't
  72. [04:38:07] <singpolyma> jonny: they just use OpenID for authentication and then you need to create a local "profile"
  73. [04:39:40] <flaccid> the difference is that you can use your openid and if you are already logged in via your op ie. logged in already (or did with an RP) you won't have to fill out a login form again
  74. [04:40:29] <flaccid> so like i was saying before, i went to my example RP, put in my identity URL, it directed to my OP to login, so i did. then after that i opened a new tab, put in stackoverflow, clicked login and it logged me in automatically
  75. [04:47:48] <jonny> the openid you used at your RP and stackoverflow is the same one?
  76. [04:48:42] <flaccid> yes
  77. [04:49:13] <flaccid> if openid was that insecure people would be having lots of fun stealing identities :)
  78. [04:51:22] <jonny> hmm ok
  79. [04:52:01] <jonny> I guess the whole deal with creating the session at the consumer side site is left outside the library
  80. [04:52:49] <jonny> If that's the case, I'll just have to start coding :-P
  81. [04:53:19] <jonny> the usage experience at isn't that bad actually :-)
  82. [04:53:22] <flaccid> oh totally, i think i was just so busy the other day that i was misinterpreting you
  83. [04:53:31] <flaccid> the example rp doesn't use any session stuff
  84. [04:53:52] <jonny> yes the example just gets the OK and maybe a nickname or so...
  85. [04:53:52] <flaccid> stackoverflow is a pretty example of a decent RP implementation
  86. [04:54:22] <jonny> oh btw mixi is the largest community - in japan ;-)
  87. [04:54:25] <flaccid> yeah the RP can recieve the extra data of sreg or ax but thats about the extent of it
  88. [04:54:31] <flaccid> fair enough
  89. [04:55:05] <jonny> they release the nickname.. myspace doesn't... hm... well I'll likely mimic the stackoverflow approach and calla new user "unnamed"..
  90. [04:55:07] <flaccid> doesn't look like it supports openid
  91. [04:55:39] <jonny> where who?
  92. [04:55:41] <flaccid> yeah its up to the OP if they support providing the extra profile data via AX or SReg..
  93. [04:55:46] <flaccid> mixi
  94. [04:55:55] <jonny> it works with the example
  95. [04:55:59] <jonny> but not at stackoverflow..
  96. [04:56:18] <flaccid> are you saying they are an OP only ?
  97. [04:56:20] <jonny> I even put in my copmlete openid url there but no
  98. [04:57:02] <jonny> Ok thanks for your help...
  99. [04:57:11] <jonny> I think I understand, slowly... :-)
  100. [04:57:14] <jonny> lunch time
  101. [04:57:30] <flaccid> jonny are they an OP only? if you give me your openid identity URL there I'll tell you what their problem is..
  102. [04:57:52] <jonny>
  103. [04:58:48] <jonny> there's a page within the community where you can uncheck if you want your nickname exposed or not...
  104. [04:58:54] <jonny> it's default to on
  105. [04:59:15] * mosites ( Quit ("Streamy (")
  106. [05:00:33] <flaccid> so you get 'Authentication error; not a valid OpenID.' right ?
  107. [05:01:54] <jonny> it says..
  108. [05:02:06] <jonny> Unable to log in with your OpenID provider:
  109. [05:02:08] <jonny> OpenID parameter 'session_type' was missing from the query.
  110. [05:02:22] <jonny> im thinking it's actually a mistake at mixi's side
  111. [05:02:40] <jonny> I clicked a "always accept" button there instead of "accept for now"...
  112. [05:02:43] <jonny> and since then things are strange
  113. [05:03:11] <flaccid> yes there seems to be several problems. the main one being that it redirects the identity URL !
  114. [05:03:54] <flaccid> it redirects it to which does not have any openid stuff in it
  115. [05:04:41] <flaccid> however it didn't do that when i first did it, its weird. i think they tried to put UA sniffing on it
  116. [05:05:29] <jonny> ..hmm. i'm not sure.. but, i'll leave that for now..
  117. [05:05:30] <flaccid> and only allow people logged in (members) to view profiles. this is a very bad practice and obviously breaks the possibility of logging in
  118. [05:05:42] <flaccid> it certain is entirely mixi's bad implementation of openid.
  119. [05:05:45] <jonny> I guess they might be working on it..
  120. [05:05:54] <flaccid> they are an OP only and have failed to even do that half properly
  121. [05:05:58] <flaccid> probably not
  122. [05:06:20] <jonny> yes only logged in users can see profiles
  123. [05:06:49] <jonny> it's very "tight" like, you can't sign up unless you have an email tied to japanese mobile phone services etc
  124. [05:07:23] <jonny> even though it's a huge site
  125. [05:08:55] <flaccid> unfortunately that breaks OpenID discovery entirely to RPs
  126. [05:09:21] <flaccid> if an RP can't fetch the html page to get the link element to the OP endpoint it can't do anything
  127. [05:09:26] <jonny> ah
  128. [05:09:37] <jonny> Im guessing thats the problem then, not that I clicked "always accept"
  129. [05:09:43] <flaccid> thats incredibly bad..
  130. [05:09:45] <jonny> they probably made some change that's breaking things
  131. [05:10:04] <jonny> because it worked just the other day
  132. [05:10:36] <flaccid> thats because they attempt to UA sniff
  133. [05:10:58] <flaccid> well at least i think they did
  134. [05:11:02] <jonny> how does the RP usually get the endpoint? I saw something about a "wellknown" name somewhere
  135. [05:11:10] <flaccid> just like i said
  136. [05:11:25] <flaccid> either by html or xrds discovery
  137. [05:11:56] <jonny> hm ok well they mustve made some change, on purpose or mistake
  138. [05:12:20] <flaccid> its very bad..
  139. [05:12:31] <jonny> after my lunch im just gonna implement the stackoverflow way of things
  140. [05:12:51] <flaccid> they also redirect to and then ERROR: Certificate verification error for unable to get local issuer certificate
  141. [05:12:59] <flaccid> there is at least 4 problems i can see
  142. [05:13:28] <flaccid> if you are implementing your own RP then the example/consumer does totally work as we just proved :)
  143. [05:14:50] <jonny> yes I guess I never had a problem with the example or the library, except my expectations of it
  144. [05:15:37] <flaccid> hey singpolyma it is bad practice to redirect the identity url isn't it, RPs can't support that
  145. [05:16:11] <flaccid> which expectations were they sorry ?
  146. [05:16:42] <singpolyma> flaccid: depends who you talk to. RPs can support it just fine, but I think it's not allowed in 2.0 ... it was allowed in 1.0 and 1.1 for sure, and still works with all major libraries I've tested
  147. [05:17:28] <flaccid> okies. and whats the go with https identity URLs especially if the cert fails checks?
  148. [05:17:55] <flaccid> in mix
  149. [05:18:02] <flaccid> in mixi's case its pretty bad.. ERROR: Certificate verification error for unable to get local issuer certificate
  150. [05:18:11] <singpolyma> Well, that's up to your discretion I guess. With something security-based like OpenID one should use TLS if at all possible and fail if it fails, IMHO
  151. [05:19:00] <flaccid> but why would using a https identity url make anything more secure, its just the identity url to do discovery on by the RP
  152. [05:19:29] <singpolyma> flaccid: are you familiar with DNS poinsoning?
  153. [05:19:51] <flaccid> don't think so
  154. [05:20:15] <singpolyma> Basically, when you resolve a DNS address, you can't trust that at all
  155. [05:20:23] <singpolyma> It may be spoofed
  156. [05:20:34] <singpolyma> So you may be doing discovery on, but get the HTML from
  157. [05:20:37] <singpolyma> without TLS
  158. [05:20:50] <flaccid> ah yes i see your point now
  159. [05:21:04] <flaccid> actually i don't
  160. [05:21:16] <flaccid> can still have a valid cert ..
  161. [05:21:32] <singpolyma> yes, but not for
  162. [05:22:08] <singpolyma> If I try to fetch and get a cert for, I know someone is fucking with me
  163. [05:22:08] <flaccid> yes but what does dns hijacking have to do with tls or no tls
  164. [05:22:20] <flaccid> true
  165. [05:22:26] <singpolyma> and *cannot* have a cert for
  166. [05:22:32] <singpolyma> not a valid one
  167. [05:22:57] <singpolyma> So if I only ever use TLS, you cannot hikack my DNS calls without me knowing
  168. [05:23:00] <flaccid> then its up to the RP's security policy right on whether a self-signed cert matching the hostname is valid right ?
  169. [05:23:20] <singpolyma> self-signed certs don't count unless you get them out-of-band
  170. [05:23:34] <singpolyma> You need to know objectively that the cert is valid
  171. [05:23:36] <flaccid> yes, 'don't count' is policy of the RP but
  172. [05:23:46] <flaccid> what you mean by 'out of band'
  173. [05:23:59] <singpolyma> Sure, RPs choose to allow non-TLS, they can choose to allow bad TLS :)
  174. [05:24:14] <singpolyma> out of band : ie, not over the same protocol (HTTP)
  175. [05:24:28] <flaccid> yes in this case bad tls is self signed
  176. [05:24:34] <singpolyma> If I send you a cert over HTTP, but you have not validated I am who I say, you cannot know my cert is valid
  177. [05:24:48] <jonny> there's a comment on a blog about the site: "that makes me think they are internazis"
  178. [05:25:01] <flaccid> self signed is ok i guess for other protocols such as vpn - shouldn't have to buy a cert in that case
  179. [05:25:31] <singpolyma> If I self-sign my cert, and then we meet in a bar and I hand you an SD card with my cert, and then you install it, that's just as good as a cert from a known issuer (as long as you know I really control
  180. [05:25:46] <flaccid> yeah
  181. [05:26:08] <flaccid> so in the case of using a self signed cert, you really should be checking the IP address that is resolved as well
  182. [05:26:20] <singpolyma> Sure, accepting a self-signed the first time and storing it for all checks after that is as good as vpn/ssh "yes/no on first connect" security
  183. [05:26:43] <singpolyma> There's no excuse to use a self-signed TLS IMHO, since startcom will give you one for free
  184. [05:27:01] <flaccid> startcom, is that run by a dude called eddy ?
  185. [05:27:32] <singpolyma> I dunno, it's a TLS issuer, and it's on the debian and firefox (and other) "valid issuer" list, and their lowest-grade certs are free
  186. [05:28:29] <flaccid> yeah eddy nigg thats right, think i talked to him once and hes listed on the openid directory..
  187. [05:28:44] <singpolyma> :)
  188. [05:28:48] <flaccid> i had no idea you could get free tls ..!!
  189. [05:29:28] <singpolyma> Yes. The only reason I don't use it is you can't get free static IPs, and my host won't allow TLS without a static IP
  190. [05:29:34] <singpolyma> because of how openssl works
  191. [05:30:03] <singpolyma> Also, to be fair, startcom certs will appear with the same warnings as self-signed certs to IE users
  192. [05:30:14] <singpolyma> but other browsers and OSs have it on the list
  193. [05:30:22] <flaccid> ah makes sense
  194. [05:30:25] <flaccid> bloody microsoft
  195. [05:30:31] <singpolyma> Yeah
  196. [05:30:49] <singpolyma> But if you're thinking self-signed anyway, it's much ahead of that :)
  197. [05:31:09] <flaccid> i've got an Amazon EC2 instance. the limitation i have there is you only get 1 public IP address per instance :( so i can't do dedicated IP hosting for shared hosting ..
  198. [05:31:25] <singpolyma> yeah
  199. [05:31:40] <flaccid> yeah i'll go and get one from startcom now. its just until we have income to justify buying verisign or whatever
  200. [05:31:56] <singpolyma> Yeah :)
  201. [05:32:49] <flaccid> hey thanks for filling in some gaps there!
  202. [05:33:40] <flaccid> oh one other thing. is considered a different identifier to ?
  203. [05:37:43] <flaccid> oh and singpolyma opera doesn't support startcom :(
  204. [05:45:39] <flaccid> oh and singpolyma - fail on startcom ssl... - SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert)
  205. [05:46:02] <singpolyma> interesting
  206. [05:46:09] <flaccid> that was in firefox too
  207. [05:46:13] <singpolyma> it's worked before for me
  208. [05:46:43] <singpolyma> uh... it's working for me right now
  209. [05:46:45] <singpolyma> in firefox
  210. [05:46:47] <singpolyma> what OS are you?
  211. [05:46:55] <flaccid> windows xp atm
  212. [05:48:47] <jonny> so ah, facebook, do they provide openids?
  213. [05:49:00] <singpolyma> jonny: no, they consume them
  214. [05:49:22] <singpolyma> flaccid: hmm... I don't claim to be an expert on who has lists where
  215. [05:49:26] <singpolyma> it's working for me
  216. [05:49:27] <singpolyma> heh
  217. [05:49:36] <jonny> they introduced the aliases the other week, I thought the purpose was just that
  218. [05:49:53] <flaccid> hehe np. could you answer my other little question?
  219. [05:52:35] * xpo (n=xpo@bearstech/xpo) has joined #openid
  220. [05:55:07] * xpo (n=xpo@bearstech/xpo) Quit (Client Quit)
  221. [05:56:51] <singpolyma> oh, yes, OpenID identifiers are URIs, so scheme matters
  222. [05:59:41] <flaccid> hmm that means you kind of have two identities
  223. [06:00:08] <flaccid> but hey you can fix that right if you redirect the http -> https on your identity url right ?
  224. [06:00:47] <singpolyma> yes
  225. [06:02:04] * stub (n=stub@canonical/launchpad/stub) Quit (Nick collision from services.)
  226. [06:02:05] * stub1 ( has joined #openid
  227. [06:02:29] * stub1 is now known as stub
  228. [06:03:12] <flaccid> cool as. all good for me then :)
  229. [06:32:44] * jochen ( has joined #openid
  230. [06:32:46] * jochen ( Quit (Remote closed the connection)
  231. [06:39:44] * singpolyma ( Quit ("Lost terminal")
  232. [07:15:16] * sjobeck ( has joined #openid
  233. [07:17:14] * sjobeck ( Quit (Client Quit)
  234. [07:30:22] * jochen ( has joined #openid
  235. [07:30:31] * jochen ( Quit (Remote closed the connection)
  236. [07:30:54] * jochen ( has joined #openid
  237. [07:54:33] * xpo (n=xpo@bearstech/xpo) has joined #openid
  238. [08:00:12] * ponchopilate ( has joined #openid
  239. [08:11:08] <flaccid> dang i changed my tls cert to the StartSSL one and yeah i get unknown cert authority in every browser its not to dang
  240. [08:30:37] * jochen_ ( has joined #openid
  241. [08:30:53] * jochen_ ( Quit (Remote closed the connection)
  242. [08:31:22] * jochen_ ( has joined #openid
  243. [08:32:23] * jochen ( Quit (Read error: 60 (Operation timed out))
  244. [08:34:51] * jochen_ ( Quit (Remote closed the connection)
  245. [08:36:25] * jochen ( has joined #openid
  246. [08:39:07] * hillsy ( has joined #openid
  247. [08:42:03] * hillsy ( Quit (Remote closed the connection)
  248. [08:42:10] * hillsy_ ( has joined #openid
  249. [08:43:16] * hillsy_ ( Quit (Client Quit)
  250. [08:43:31] * hillsy ( has joined #openid
  251. [08:55:16] * daedeloth ( has joined #openid
  252. [09:54:10] * shigeta ( has joined #openid
  253. [10:10:54] * shigeta_ ( Quit (Read error: 110 (Connection timed out))
  254. [10:20:44] * Orango (n=s-e@wikimedia/Orango) has joined #openid
  255. [10:22:27] * Orango (n=s-e@wikimedia/Orango) Quit (Client Quit)
  256. [10:33:37] * x10 ( has joined #openid
  257. [10:33:56] * x10 ( has left #openid
  258. [11:05:47] * shigeta ( Quit ("Leaving...")
  259. [11:18:12] * MrTopf ( has joined #openid
  260. [11:26:22] <jonny> so aahh
  261. [11:26:42] <jonny> beep me when facebook implements openid as server ok?
  262. [11:26:54] <jonny> I want to dispose of fb connect
  263. [11:32:31] <jonny> also what is the proper endpoint of google's?
  264. [11:41:04] * qwp0 ( Quit (Remote closed the connection)
  265. [11:42:31] * qwp0 ( has joined #openid
  266. [11:42:37] * Joran ( has joined #openid
  267. [11:44:09] <Joran> hi guys, is there any active (ideally multi-user) standalone servers any more, it would seem that most have died a death, and the one thing I loved about the idea of openid is that you don't have to rely on a third party and give them all your details
  268. [11:44:29] <Joran> (everything else I liked rather than loved, to be fair!)
  269. [11:47:14] <qwp0> jonny:
  270. [11:59:11] * MacTed (n=Thud@ has joined #openid
  271. [12:05:17] * stub (n=stub@canonical/launchpad/stub) Quit ("Leaving.")
  272. [12:16:17] * daedeloth ( Quit (Remote closed the connection)
  273. [12:17:36] <jonny> qwp0: thanks
  274. [12:27:09] <flaccid> jonny there are already plenty of openid providers, there is no need for facebook to become an OP. what we need is facebook to be a real RP. so far they are having issues even behing half an RP:
  275. [12:28:13] <flaccid> Joran the example/server in the janrain libs works fine
  276. [12:28:14] <jonny> facebook has a good load of users, so a lot of users could make use of openid that way....
  277. [12:29:00] <jonny> and its in a way nice that FB has the ideal to have "real" people with real names, as opposed to many other communities where users have fake aliases, or jibberish email addresses etc
  278. [12:29:35] <flaccid> jonny they can do that without becoming a provider via delegation. a good fair whack of FB users probably already have an openid somewhere else like yahoo, google, microsoft etc.
  279. [12:29:53] <jonny> true
  280. [12:30:21] <jonny> well in my current implementation there's hardly any difference now between all hte openids and the facebook connect
  281. [12:30:33] <jonny> except the fb connect uses ugly reloading javascript...
  282. [12:31:03] <flaccid> jonny well facebook doesn't support any open social technologies. its just another big commercial entity not sharing
  283. [12:31:55] <flaccid> well let me correct that, they use some open social technologies but not in a standard way
  284. [12:32:14] <Joran> flaccid: I'm fighting with simpleid at the moment, I might try that if I can find it... it doesn't look easy to find
  285. [12:32:43] <flaccid> Joran its distributed in the janrain libs, pretty easy to find
  286. [12:32:48] <qwp0> jonny: The Facebook guys have begun support twitter-like usernames recently, too -- they seem to have realized this is the way Internet identities are.
  287. [12:33:14] <flaccid> Joran do keep in mind that there are enough openid providers out there. you might want to checkout delegation
  288. [12:33:22] <Joran> flaccid : the janrain libs aren't advertised as "the janrain libs" on their website
  289. [12:33:33] <Joran> flaccid : yeah, but I don't want to delegate
  290. [12:33:37] <flaccid> Joran um so ?
  291. [12:34:02] <Joran> I have my own web server and am happy keeping my information under my control
  292. [12:34:39] * ertai ( has joined #openid
  293. [12:34:57] <flaccid> Joran thats fine. so and at the bottom of that page link to the demo
  294. [12:35:20] <Joran> php-openid is unsupported and abandoned.
  295. [12:35:30] <flaccid> the examples provided in the libs helped me to understand and get to know the specification
  296. [12:35:35] <jonny> so
  297. [12:35:41] <jonny> the mixi endpoint
  298. [12:35:49] <jonny> where did it go...
  299. [12:37:00] <flaccid> Joran no its not, you are refering to 'PHP Standalone OpenID Server' as per
  300. [12:37:17] <flaccid> jonny sorry ?
  301. [12:39:30] <Joran> flaccid: I see... hmm....
  302. [12:41:11] <flaccid> :)
  303. [12:41:43] <jonny> oh hm the live demo consumer works with mixi...
  304. [12:41:45] <flaccid> Joran so the is exactly what is included
  305. [12:41:47] <jonny> i must have messed up somewhere..
  306. [12:42:09] <flaccid> jonny no they did. remember you are probably logged in to that site.
  307. [12:42:25] <Joran> oh, yeah, that's obviously a fully functional server... doesn't support passwords, sreg or any of the features the ones that were abandoned did. *sigh*
  308. [12:42:35] <jonny> but it works from
  309. [12:43:00] <flaccid> but i did find that what that site spits out is a bit random and they might do UA sniffing for some reason or at least try to determine if the request is an openid auth
  310. [12:43:26] <flaccid> jonny sometimes the html elements go in, sometimes not and i never got any xrds http headers
  311. [12:45:41] <flaccid> jonny like just then, did it in opera, it did the discovery and then went to the login
  312. [12:46:14] <flaccid> my example rp which is exactly the same returns Authentication error; not a valid OpenID. in safari
  313. [12:46:40] <jonny> what do you mean the html elements go in??
  314. [12:47:06] <jonny> you mean you reach the login page?
  315. [12:47:06] <flaccid> and just then in firefox it worked
  316. [12:47:17] <flaccid> first step is html or xrds discovery to get the endpoint
  317. [12:47:21] <jonny> ah
  318. [12:47:22] <jonny> I see
  319. [12:47:33] <jonny> I installed Firebug earlier, is that what you use to see the jumps?
  320. [12:47:47] <flaccid> considering it works in some browsers its almost like they UA snif to prevent using in certain browsers
  321. [12:47:55] <flaccid> yep thats the easiest way
  322. [12:47:56] <jonny> it should be enough to enter "" in the input
  323. [12:48:17] <flaccid> redirects to
  324. [12:48:20] <jonny> even though I found but it doesnt work
  325. [12:48:23] <jonny> yeah same
  326. [12:48:48] <flaccid> define dowsnt work ... it gives you the login box to login, i just don't have an account obviously
  327. [12:49:20] <jonny> the library tells me "Authentication error; not a valid OpenID." in my imlementaiton
  328. [12:49:59] <jonny> i'll try with all browsers i have. ff3, ie6, chrome, safari 4
  329. [12:50:33] <flaccid> yeah true
  330. [12:50:39] <flaccid> i think you could be right
  331. [12:52:28] <jonny> ok now the example doesnt even work anymore
  332. [12:52:45] <jonny> maybe there's something like a silent "sorry tried too many times"
  333. [12:54:11] <flaccid> jonny so you managed to get a fail on the openidenabled demo example consumer ?
  334. [12:54:31] <jonny> actually the openidenabled demo still works...
  335. [12:54:40] <jonny> my own demo worked too, for a while.. but not now...
  336. [12:54:45] * ertai ( has left #openid
  337. [12:54:45] <jonny> sigh
  338. [12:54:56] <flaccid> yeah still think its a random fail on their behalf
  339. [12:55:00] <jonny> yeah i can log in all the way on openideanbled
  340. [12:55:07] <flaccid> it seemed a little random
  341. [12:55:47] <flaccid> go to the discovery part in the example and see what it gets when it does it
  342. [12:55:53] <flaccid> i can do that soon probably tonight
  343. [12:56:00] <jonny> hmm how?
  344. [12:56:11] <jonny> You have successfully verified as your identity. Your nickname is '��'.
  345. [12:56:13] <jonny> No PAPE response was sent by the provider.
  346. [12:56:15] <flaccid> it'll be in the code
  347. [12:57:20] <flaccid> but yeah the example consumer i set up has not failed on any other provider i have tested and it is totally untouched from darcs get and then symlink to example/consumer ..
  348. [13:04:25] <Joran> argh. clamshell works but doesn't do yadis or delegation :S
  349. [13:06:08] <flaccid> that thing is horrible
  350. [13:09:16] <flaccid> i don't know if that thing supports openid 2.0
  351. [13:09:51] <flaccid> in that time you spent wasting, you could already have used the one available that supports what you need
  352. [13:20:12] <flaccid> jonny yeah he could be the store or something in getConsumer() at least
  353. [13:20:53] <jonny> me?
  354. [13:21:04] <jonny> don't blame me!
  355. [13:21:09] <flaccid> im not
  356. [13:21:11] <flaccid> at all
  357. [13:21:40] <jonny> jo + tabbed?
  358. [13:23:20] <flaccid> huh?
  359. [13:34:21] <Joran> flaccid: what one available supports what I need? multiple users authenticated, sreg and yadis? I fail to see a host-your-own server that provides that without coding.
  360. [13:35:28] <flaccid> Joran technically the example/server does that. yes anything else you want to do you will need to code.
  361. [13:35:52] <Joran> it doesn't do authentication at all!
  362. [13:36:03] <Joran> i.e. password per user
  363. [13:36:07] <flaccid> jonny so far i have established that $auth_request = $consumer->begin($openid); is returning null. so i will check the library inputs and outputs
  364. [13:36:22] <flaccid> Joran it supports unlimited users with openid authentication, technically.
  365. [13:36:39] <flaccid> Joran go learn some php/mysql. it wouldn't be hard to hook up to a user table.
  366. [13:36:54] <flaccid> you did not specify a password requirement :)
  367. [13:37:36] <Joran> flaccid, not the point. I am actually a developer, but I don't want to spend my time reinventing the wheel.
  368. [13:38:07] <flaccid> Joran the wheel you are after is not available publicly.
  369. [13:38:47] <Joran> it's also one of the wheels that lack of will deter openid takeup :(
  370. [13:39:31] <flaccid> Joran i disagree. there already plent of openid providers out there, we don't need any more.
  371. [13:41:09] <Joran> flaccid: a lot of people want freedom from their data being outside their control.
  372. [13:41:24] <qwp0> flaccid: that's pretty weird reasoning, IMO
  373. [13:42:01] <Joran> how can an end-user have any more confidence in say "myOpenId" than "google" or "yahoo"?
  374. [13:42:05] <flaccid> openid uptake is not about creating openid providers, its about supporting openid login
  375. [13:42:47] <flaccid> if you want to run your own servers, then write your own code. atm you are looking to trust someone elses code anyway
  376. [13:43:41] <Joran> one of the beauties of opensource code is that trusting the code is not a leap of blind faith
  377. [13:45:05] <flaccid> and in the time you have spent complaining you could of modified the example/server to use mysql with a user table.
  378. [13:45:25] <flaccid> thats one of the beauties of open source.
  379. [13:47:02] <Joran> no point arguing here I guess, you disagree with my pov and won't credit my opinions with any worth so there's no point even stating them obviously.
  380. [13:48:23] <flaccid> i wasn't aware that i needed to credit your opinions. you didn't credit mine either
  381. [13:50:05] <flaccid> jonny openid discovery with mixi is failing. somewhere in the instantiation of the consumer object when creating the server endpoint object
  382. [13:50:34] <jonny> oaky
  383. [13:50:40] <jonny> *okay
  384. [13:52:17] <flaccid> i have to go do a few things but i will continue debugging after that. its possible the html discovery is failing because of their charset/non english/no dtd etc. but thats a just a guess at this stage - need to check if its trying html or xrds or both. but anyway back a little later
  385. [13:52:41] <Joran> well it appears to me as an end-user, openid is not ready for usage. That indicates I need not implement it for web sites I create, as people I target would find similar results to me.
  386. [13:54:23] <jonny> huh why Joran?
  387. [13:54:48] <jonny> oh confidence?
  388. [13:54:52] <Joran> because I don't want a third party being in control of my data
  389. [13:55:03] <jonny> so you dont sign up for hotmail or gmail?
  390. [13:55:17] <Joran> not when I have a choice
  391. [13:55:32] <Joran> (I use scroogle to search for example)
  392. [13:55:38] <jonny> lol
  393. [13:55:47] <Joran> and that's the point
  394. [13:55:49] <qwp0> Joran: are you running a Freenode server? because otherwise a third party is being in control of your data
  395. [13:56:53] <Joran> I have a choice to use openid and if it were useable I would. but I'm not about to think myopenid is any better than any other company for data security, govt. cooperation or any other facet of data manipulation
  396. [13:57:17] <jonny> Joran so you'd rather implement your own member authentication on your own website, rather than let players like google, myopenid etc do that for you?
  397. [13:57:26] <jonny> would people trust you more than any other?
  398. [13:57:45] <Joran> jonny: yes, because I'm talking about family and friends.
  399. [13:57:53] <jonny> ok
  400. [13:58:10] <jonny> but if you make a website for general customers/users...
  401. [13:58:13] <Joran> limited numbers - probably max 10
  402. [13:58:15] <jonny> they won't be your friends ;)
  403. [13:58:21] <Joran> I'm not aiming to
  404. [13:58:32] <qwp0> Joran: well, you can run your own OpenID server (which is a bit problematic as we've seen but it's possible)
  405. [13:59:22] <Joran> qwp0: there appear to be none that are functional without coding, so I would disagree with you, I can't.
  406. [14:01:35] <Joran> jonny: no, it's about confidence - I do actually create other websites, but I don't have confidence that openid will take off because there's too high a hurdle to become a provider. So my technical advice to people asking if it's worth implementing it, would be "it's not worth it due to the minority audience".
  407. [14:02:03] <jonny> well
  408. [14:02:21] <jonny> on they say they have millions of openid enabled users
  409. [14:02:21] <qwp0> Joran: as far as you can type and are even able to run your own web server, you should be able to run an OpenID server as well; the fact it requires a little coding doesn't mean you can't run your own server
  410. [14:02:25] <jonny> that would be all google users etc
  411. [14:02:38] <jonny> so minority, that depends on what you mean
  412. [14:02:41] <Joran> the people imho who are likely to be early adopters are the very people who would no more likely to sign up for myopenid as google.
  413. [14:03:16] <qwp0> Joran: actually, when you run a website which is not OpenID-enabled you don't allow other users to control their identities what is apparently one of your main concerns
  414. [14:03:33] <jonny> and when mixi gets their thing going, you have 80% of the community share of Japan connected to openid..
  415. [14:04:01] <jonny> i'd say it looks promising
  416. [14:04:16] <Joran> qwp0: true, but my priorities differ personally to professionally.
  417. [14:04:27] <jonny> ok, i have to get home now... ttyl
  418. [14:04:40] <Joran> bye jonny
  419. [14:04:44] <jonny> bye
  420. [14:04:47] * jonny ( Quit ("ChatZilla 0.9.85 [Firefox 3.0.11/2009060215]")
  421. [14:05:42] <Joran> if a forum I'm using has openid abilities of course I'll enable it - it's a zero cost then
  422. [14:08:21] <qwp0> Joran: well, you should use a forum that provides support for OpenID logins ;)
  423. [14:10:55] <Joran> qwp0: I do but it's not a priority in choosing one, because I simply don't see it taking off because in the end as it says on : "In the end you should choose a Provider from a company which you trust."
  424. [14:12:18] <Joran> and how many internet companies exist that any of my social circle trust? not many, if any.
  425. [14:18:29] <qwp0> Joran: as a webmaster, you should support OpenID because it's (one of) the most promising SSO/identity management systems out there; as an end-user, the more sites are OpenID-enabled, the bigger is the probability that an easy-to-install OP is created and therefore you can install/use it
  426. [14:19:14] <qwp0> ...without letting any third party control your data
  427. [14:20:00] <qwp0> I think we should mix the webmaster/end-user POV's
  428. [14:20:04] <qwp0> should not
  429. [14:20:37] <Joran> qwp0: lovely sentiments, or I can just cope without until such time as it becomes a sensible option. As a webmaster, if it doesn't cost me time, I'll enable openid, if it does but only a little, I will, if it costs a lot of time then I won't.
  430. [14:20:57] * Orango (n=s-e@wikimedia/Orango) has joined #openid
  431. [14:26:22] <qwp0> Joran: with most of major wikis (Mediawiki has an OpenID extension) / CMS's (Drupal as well) / forum systems (I guess a mod for phpBB exists, too) making a site an RP is not a problem
  432. [14:27:08] <Joran> yeah, most of the time I do find there's a module for openid login for any software I use.
  433. [14:28:35] <qwp0> so almost all your web sites allow OpenID logins, right?
  434. [14:30:23] <Joran> no, 'cos most of my web sites either don't have logins or the logins are limited groups (and so the data is already held elsewhere)
  435. [14:31:25] <Joran> there's only one site I host that could benefit from openid and as I'm barely involved with it these days, I am not gonna stir it up
  436. [14:36:47] <qwp0> thus you're rather a user than a webmaster when dealing with OpenID, aren't you?
  437. [14:37:52] <qwp0> and your main problem is that there is no provider, which doesn't require some additional coding, available, right?
  438. [14:38:07] <qwp0> provider as software
  439. [14:39:28] <Joran> currently yes
  440. [14:40:23] <qwp0> I think I may have a look at it then, since I'm interested how hard it is to modify the server ;)
  441. [14:40:31] <Joran> :-)
  442. [14:41:40] <Joran> I would be overjoyed to have a provider that just "works" - I don't care much about the storage engine so long as it's not ridiculously insecure!
  443. [14:41:59] <qwp0> 'K, I'll have a look :)
  444. [14:43:19] <Joran> qwp0: shall I /msg you my email address?
  445. [14:43:33] <qwp0> Joran: why not ;)
  446. [14:55:34] * daleolds ( has joined #openid
  447. [14:58:38] * Orango (n=s-e@wikimedia/Orango) Quit ("Leaving")
  448. [14:59:26] <Joran> when did openvatar go bellyup?
  449. [15:00:43] * daleolds ( Quit ("Leaving.")
  450. [15:03:55] * hillsy ( Quit ("Leaving")
  451. [15:07:27] * sjobeck ( has joined #openid
  452. [15:14:34] * daedeloth ( has joined #openid
  453. [15:15:08] * benblack (n=bb@ has joined #openid
  454. [15:26:43] * sjobeck ( Quit ()
  455. [15:34:24] * sjobeck (n=sjobeck@ has joined #openid
  456. [15:36:05] * sjobeck (n=sjobeck@ has left #openid
  457. [15:41:32] * daleolds ( has joined #openid
  458. [15:59:15] * elliottcable ( Quit (Remote closed the connection)
  459. [16:10:00] * singpolyma ( has joined #openid
  460. [16:18:20] <flaccid> Joran so you are happy to keep other people's data, isn't that a bit hypocritical?
  461. [16:19:35] <Joran> flaccid: nope. the data I hold on my server about others is only data that is needed for the application.
  462. [16:20:12] <flaccid> Joran: you have that same choice with any openid provider.
  463. [16:21:16] <Joran> it's not about that though - if I run my own openid provider, it's on my server.
  464. [16:21:35] <Joran> I will allow friends and family to use it too.
  465. [16:21:35] <flaccid> before you were saying its about that
  466. [16:21:51] <flaccid> you also said you were a developer, but seem to be either too lazy or not competent to modify some code
  467. [16:23:36] <Joran> flaccid: keep the veiled insults to yourself, thanks. I am not only a developer, nor only a web developer nor only a user. As a user I do not want to have to do development to host my own openid service. Much as I wouldn't want to write an smb server to share files with a windows box!
  468. [16:24:35] <singpolyma> flaccid: You are a bit quick to be condescending sometimes :)
  469. [16:25:27] <flaccid> sure but with good reason
  470. [16:28:05] <flaccid> the janrain libs are provided free and open under the apache license 2.0. lots of people put time into the openid specification and the software such as the libraries which come with example consumers and providers. free speech and free beer all in one. i for one am totally grateful for the time, effort and money these people put in to provide what we available to date.
  471. [16:28:45] * jochen ( Quit (Read error: 113 (No route to host))
  472. [16:29:49] <flaccid> singpolyma you have contributed yourself and as a user and developer i really appreciate it and will always recognise that it enabled me for example, to easily host my openid delegation to the provider(s) of my choice, whether it be myself or a 3rd party.
  473. [16:30:08] <flaccid> i didn't come into this channel and complain with dozens of negative comments.
  474. [16:30:30] <flaccid> singpolyma unfortunately you missed all that
  475. [16:30:56] <singpolyma> flaccid: sorry, I'm not trying to get into an argument. I realize I came in near the end of your discussion
  476. [16:31:25] <flaccid> oh i thought it ended but when i came back it had started all over again..
  477. [16:33:06] <flaccid> technically with the example/server you could enable it to bind against an array of username/password name value pairs. although not great, it can be done in a few lines of code and about 10mins of ones time.
  478. [16:34:27] * benblack_ (n=bb@ has joined #openid
  479. [16:40:00] <flaccid> Joran i did just realise an option for you however. the latest/recent version of the xrds-simple plugin made by singpolyma and will norris has an openid provider based on those libs.
  480. [16:40:48] <singpolyma> flaccid: well, the xrds-simple and wp-openid plugins together
  481. [16:40:58] <singpolyma> will let you run an OpenID server for users on a WordPress install
  482. [16:41:21] <singpolyma> Is that what Joran wants? His own OP with multiple users?
  483. [16:41:35] <singpolyma> Yeah, the standard solution (PHPmyID) is single user
  484. [16:41:49] <flaccid> yep sorry forgot to mention that. i was nagging will the other day via email and he assisted me heh i needed to upgrade the wp-openid plugin for it all to work/have the options available
  485. [16:42:09] <flaccid> yes and old, modified libs, badly maintained etc.
  486. [16:42:17] <flaccid> you guys didn't modify the libs at all ?
  487. [16:43:52] <singpolyma> Not that I know of
  488. [16:44:04] <singpolyma> Pretty sure any patches have been mainlined
  489. [16:44:19] <flaccid> only feedback i have on that is maybe a bit more doco on that plugin page and perhaps boasting about the OP component
  490. [16:44:25] <flaccid> cool
  491. [16:55:45] <flaccid> singpolyma texting as RP for jonny and its failing on yadis $m = $disco->getManager();
  492. [16:56:18] <singpolyma> does mixi generally work well as an RP?
  493. [16:59:39] * xpo (n=xpo@bearstech/xpo) Quit (Read error: 104 (Connection reset by peer))
  494. [17:00:46] * xpo_air ( has joined #openid
  495. [17:02:22] * voidstar_ (n=bb@ has joined #openid
  496. [17:06:06] * benblack (n=bb@ Quit (
  497. [17:07:46] <flaccid> singpolyma not really. but seems the example consumer works but both me and jonny's example consumer doesn't. mine is darcs checkout only, nothing touched and it works with every other RP i can think of to test with
  498. [17:08:08] <singpolyma> you mean example server
  499. [17:08:09] <flaccid> its failing in discovery with getManager, i'm thinking that it could be the characters being fetched in html discovery
  500. [17:08:29] <flaccid> is only a provider as far as i can see
  501. [17:09:21] <singpolyma> So your example consumer checkouts are failing with your example servers?
  502. [17:09:52] * ponchopilate ( Quit ()
  503. [17:11:11] <flaccid> no example/consumer fails with only
  504. [17:11:44] <flaccid> something in getManager it seems (so far)
  505. [17:14:28] * benblack_ (n=bb@ Quit (Read error: 60 (Operation timed out))
  506. [17:15:00] <singpolyma> but works with other RPs just fine?
  507. [17:15:01] <singpolyma> interesting
  508. [17:15:57] <flaccid> i think it might be $manager_str = $this->session->get($this->getSessionKey());
  509. [17:17:10] <flaccid> i think it could be a logical error
  510. [17:20:19] <flaccid> could also be as simple as open_basedir not set. that would make sense
  511. [17:21:12] <singpolyma> Do your local RPs work with other OPs?
  512. [17:21:29] <flaccid> hmm nah its not set on mine which means its not confined and it does write to /tmp
  513. [17:21:54] <flaccid> yes. this is the example/consumer untouched and works with every other op i can test with
  514. [17:23:05] <singpolyma> maybe does not support openid2
  515. [17:23:07] <flaccid> thing is $manager_str = $this->session->get($this->getSessionKey()); returns the data from my last successful auth (dif identity) even after session is cleared
  516. [17:23:09] * mosites ( has joined #openid
  517. [17:23:33] <flaccid> i read it was only openid 2.0
  518. [17:24:07] <singpolyma> hmm, scratch that theory then
  519. [17:25:43] <flaccid> xrds seems set up right on their end
  520. [17:25:49] * voidstar_ (n=bb@ Quit (Read error: 110 (Connection timed out))
  521. [17:28:08] <flaccid> looks like its in the session method
  522. [17:41:10] * singpolyma ( Quit ("Lost terminal")
  523. [17:49:19] * xpo_air ( Quit ()
  524. [17:52:00] * ertai ( has joined #openid
  525. [18:00:01] * singpolyma (n=singpoly@ has joined #openid
  526. [18:01:02] <flaccid> wb
  527. [18:05:48] * jochen_ ( has joined #openid
  528. [18:17:57] * MrTopf ( Quit ()
  529. [18:19:16] * TedThibodeauJr (n=Thud@ has joined #openid
  530. [18:28:27] * MacTed (n=Thud@ Quit (Read error: 110 (Connection timed out))
  531. [18:28:42] * singpoly1a (n=singpoly@ has joined #openid
  532. [18:37:29] * singpolyma (n=singpoly@ Quit (Read error: 110 (Connection timed out))
  533. [18:38:27] * Joran ( Quit (Read error: 104 (Connection reset by peer))
  534. [18:38:56] * TedThibodeauJr is now known as MacTed
  535. [19:00:34] <flaccid> hmm its the xrds document that the rp does not like for
  536. [19:00:37] <flaccid> but i can't figure out why
  537. [19:02:05] <singpoly1a> flaccid: do you just use and directed identity, or what is your identity uri?
  538. [19:03:33] <flaccid> i don't have one there, but i am pretty sure i just confirmed 1 of my original guesses
  539. [19:03:38] <flaccid> so yeah
  540. [19:03:49] <flaccid> it is because xrds http header they use is https
  541. [19:04:07] <flaccid> when i wget, i get ERROR: Certificate verification error for unable to get local issuer certificate
  542. [19:04:29] <flaccid> and asks me to To connect to insecurely, use `--no-check-certificate'.
  543. [19:05:08] <flaccid> copy local and put the xrds location in the header, same issue with https, no problems on http
  544. [19:05:16] <flaccid> so this must be the paranoid xrds fetcher
  545. [19:05:35] <singpoly1a> curl -i works on my system with no errors
  546. [19:05:39] <singpoly1a> I think your TLS is messed up
  547. [19:06:11] <singpoly1a> wget also works for me on that URL
  548. [19:07:37] <flaccid> true. i only get that message on 1 server of mine. i don't get it on the client i have in web browser
  549. [19:08:11] <flaccid> doesn't explain why it works without http then and why jonny has the same issue
  550. [19:09:05] <flaccid> actually its on the same server so yeah that makes sense
  551. [19:09:21] <flaccid> apache/php would be using same openssl
  552. [19:09:55] <singpoly1a> yes
  553. [19:10:28] <flaccid> ok so me and jonny have screwed up tls on our servers
  554. [19:10:48] <flaccid> weird for me, i run freebsd and everything else tls works fine
  555. [19:11:35] <flaccid> ok so when he comes back in i'll ask him to try curl and wget on the server i set the example up on and see if it has issues like me
  556. [19:12:22] <flaccid> i=he
  557. [19:13:56] <flaccid> its COMODO CA so its a normal kind of issuer
  558. [19:15:06] <flaccid> ok so one more test to verify this, i'll try myopenid w/ tls, if it works then heh obviously that has to be it
  559. [19:16:12] <flaccid> lol i mean if it doesn't work
  560. [19:16:33] <flaccid> true the rp example doesn't like it. no see if wget does the same thing
  561. [19:17:50] * xpo (n=xpo@bearstech/xpo) has joined #openid
  562. [19:19:19] <flaccid> well example RP rejected both and but work in sheel
  563. [19:19:27] <flaccid> shell. so im not so sure heh
  564. [19:19:43] <flaccid> oops
  565. [19:19:49] <flaccid> i mean https://flaccid..
  566. [19:20:55] <flaccid> ok so will just assume that the local tls is the problem. that will do just fine heh
  567. [19:24:53] <flaccid> seems like this
  568. [19:28:58] <flaccid> on that note do you think there is any reason to do https on yadis profiles ?
  569. [19:30:03] * MacTed (n=Thud@ Quit ()
  570. [19:31:29] * xpo (n=xpo@bearstech/xpo) Quit ()
  571. [19:31:43] <flaccid> hey singpoly1a boom! it has to be this for me and for jonny likely missing the ca-certificates package if its ubuntu/debian..
  572. [19:38:32] <flaccid> also seems like the sec team have gotten rid of supporting anything in the ca root area
  573. [19:41:44] * singpolyma (n=singpoly@ has joined #openid
  574. [19:44:31] <flaccid> wb
  575. [19:44:38] <flaccid> did you miss all my blabber ?
  576. [19:57:48] * singpoly1a (n=singpoly@ Quit (Read error: 110 (Connection timed out))
  577. [20:12:19] * singpolyma readis over stuff
  578. [20:12:27] <singpolyma> glad you found the issue :)\
  579. [20:12:43] <singpolyma> As I've said before, if you don't discover over TLS, your securty model is screwed
  580. [20:12:54] <singpolyma> until the signing stuff from the XRD work comes out
  581. [20:16:42] <flaccid> yeah unfortunately its a question of who to trust and that in freebsd and other OS/distros, they don't trust anyone by default
  582. [20:18:37] <flaccid> this OS supports x,y,z ca roots, this other only suports a,b,c and this one trusts no one
  583. [20:21:11] <singpolyma> yeah :)
  584. [20:21:26] <singpolyma> you can import the root certs yourself from CAs you care about
  585. [20:21:36] <singpolyma> you may need root for that, though
  586. [20:22:57] <flaccid> yeah but that still goes back to the question of 'who should you trust'
  587. [20:23:10] <singpolyma> sure, of course it does :)
  588. [20:23:25] <flaccid> which has lead me to believe that as an RP or OP or even anything, you need to put a page up of the CA roots you support
  589. [20:23:28] <singpolyma> I trust arbitrary CA X more than I trust completely clear DNS ;)
  590. [20:23:38] <flaccid> to a normal user, that just confuses them more
  591. [20:23:38] <singpolyma> It wouldn't hurt, for sure
  592. [20:23:59] <singpolyma> Well, normal users will use OPs with a cert from the big 4 I would think
  593. [20:24:13] <singpolyma> hopefully the signing stuff in XRD has some best practises about CAs to support
  594. [20:24:21] <singpolyma> will or eran would know more about that
  595. [20:25:23] <flaccid> true
  596. [20:26:26] <flaccid> but for people trying to do an RP and testing on a https OP they aint going to know about this which is i guess what we established
  597. [20:26:52] <flaccid> i didn't even realise https or think about it it properly til later
  598. [20:26:54] <singpolyma> yeah
  599. [20:27:05] <flaccid> i saw that problem but didn't think much of it
  600. [20:27:09] <singpolyma> well, the example RP really should give better error messages
  601. [20:27:13] <flaccid> coz it was working elsewhere
  602. [20:27:27] <flaccid> yeah a bit more logic
  603. [20:27:37] <flaccid> i had to dig real deep to even get to that
  604. [20:29:22] <flaccid> oh and i have not got a browser yet that accepts my new startssl cert
  605. [20:29:48] <singpolyma> where are you using it?
  606. [20:29:57] <flaccid> on my web server
  607. [20:30:08] <flaccid> tried all environments i could
  608. [20:30:09] <singpolyma> no, I mean URL, I'd like to see if my browser likes it ok :)
  609. [20:30:24] <flaccid>
  610. [20:30:58] <flaccid> seems to be trusted you need probably money and a big commercial entity
  611. [20:31:28] <flaccid> in essence in some browser this cert is more 'rejected' than a self-signed one
  612. [20:31:35] <singpolyma> my browser trusts that cert
  613. [20:31:40] <flaccid> OS ?
  614. [20:31:44] <singpolyma> Ubuntu Jaunty
  615. [20:31:53] <flaccid> eek
  616. [20:32:05] <flaccid> i've tested freebsd, windows, mac os x
  617. [20:32:07] <singpolyma> firefox 3.0
  618. [20:32:13] <flaccid> yes
  619. [20:32:20] <flaccid> and all the other ones he says
  620. [20:32:35] <singpolyma> my curl does not accept your cert
  621. [20:32:43] <singpolyma> nor my wget
  622. [20:33:07] <flaccid> which suggests its a consipiracy
  623. [20:33:11] <singpolyma> something odd
  624. [20:33:12] <flaccid> ubuntu+firefox
  625. [20:33:24] <flaccid> i don't use that heh
  626. [20:33:49] <singpolyma>
  627. [20:34:02] <singpolyma> says firefox3 accepts startcom free
  628. [20:34:15] <singpolyma> verification level 1
  629. [20:34:43] <flaccid> its not true
  630. [20:34:58] <flaccid> trust roots are usually not a browser thing but rather OS level
  631. [20:36:59] <singpolyma> I'm pretty sure in Firefox they're separate from the OS level (certainly are on my system, as just demonstrated)
  632. [20:37:26] <flaccid> atm im on windows
  633. [20:37:31] <singpolyma> shows "supported by" and firefox, flock, safari logos
  634. [20:37:32] <flaccid> that is actually most important
  635. [20:37:37] <singpolyma> I would write support
  636. [20:37:49] <flaccid> yeah i noticed that. i tested safari too on all 3 platforms, no go
  637. [20:38:13] <flaccid> actually safari on windows i think works
  638. [20:38:22] <singpolyma> I would write the startcom support and see what's up
  639. [20:38:31] <flaccid> yeah i might do that
  640. [20:39:09] <flaccid> seems ironic that the only one that may of worked is from apple on a windows platform :=
  641. [20:40:28] <singpolyma> indeed
  642. [20:41:00] <flaccid> i appreciate your time and info, it is a bit more of an insight to reality here...
  643. [20:41:08] <singpolyma> :)
  644. [20:41:24] <flaccid> that being said, if you were to spend dollars on a cert, heh what is the 'most supported' ?
  645. [20:41:36] <flaccid> go spend a 1000 bux or some crap on verisign ?
  646. [20:41:38] <singpolyma> well, depends what you want to spend
  647. [20:41:48] <flaccid> lets not worry about the spend
  648. [20:41:52] <singpolyma> godaddy is cheap and well-supported (even IE)
  649. [20:41:57] <flaccid> but rather the client-side support
  650. [20:42:02] <singpolyma> verisign is what you really want if you have the money
  651. [20:42:08] <flaccid> godaddy is a CA ?
  652. [20:42:14] <singpolyma> verisign, highest verification level, with EV :)
  653. [20:42:16] <singpolyma> yes
  654. [20:42:28] * flaccid goes to look
  655. [20:42:58] <flaccid> godaddy does look cheap
  656. [20:43:02] <singpolyma> yeah
  657. [20:43:21] <flaccid> i assume the middle options i uac
  658. [20:43:49] <flaccid> ucc i mean
  659. [20:44:07] <singpolyma> dunno. If I were to pay more than lowest-level godaddy I'd probably go with highest-level godaddy
  660. [20:44:16] <singpolyma> after that, equifax or verisign
  661. [20:45:15] <flaccid> hmm
  662. [20:45:38] <flaccid> maybe Multiple Domain (UCC) Just $89.99/yr would be suited for us
  663. [20:46:24] <flaccid> seems like just a commercial thing in the end. once you get on the 'ca list' see what you can charge
  664. [20:46:45] <flaccid> the actual encryption layer is the same its just the verified ca
  665. [20:47:20] <singpolyma> yeah. I don't usually care much about encryption anyway
  666. [20:47:30] <singpolyma> It's signing/verification that's really interesting
  667. [20:47:56] <flaccid> yeah. but only problem i got is 1 public IP limitation
  668. [20:48:12] <flaccid> in that case i say screw the clients until we make money
  669. [20:48:36] <flaccid> thats going to be for some time because we are not taking on new clients until we finish r&d which could be about 1 year atm
  670. [20:48:59] * Orango (n=s-e@wikimedia/Orango) has joined #openid
  671. [20:49:05] <singpolyma> yeah :)
  672. [20:54:17] <flaccid> Opera doesn't support startssl heh thats what i use..
  673. [20:55:39] <flaccid> meh startssl can't design a website its bad. how do i contact them ?
  674. [20:55:42] <singpolyma> So submit a patch ;) wait... you can't. Yeah, screw Opera
  675. [20:56:13] <singpolyma>
  676. [20:56:20] <flaccid> as i demonstrated before patches can be rejected just as easily on open source..
  677. [20:57:10] <singpolyma> no. they can be rejected more easily, because they can exist at all :)
  678. [20:58:57] <flaccid> im not sure if i understand
  679. [20:59:33] <singpolyma> Proprietary software companies can't reject your patches, because you can't create them in the first place.
  680. [20:59:53] <flaccid> thats true
  681. [21:00:11] <flaccid> and sometimes you go to such effort in open source to only be rejected by some tool that has power
  682. [21:00:16] <flaccid> that for me is more unrewarding
  683. [21:00:45] <flaccid> in this case, its not a patch. its security policy.
  684. [21:02:15] <singpolyma> No one has the power. Not really. You can run and distribute a version with your patch. People do it all the time
  685. [21:02:38] <singpolyma> It's obviously more rewarding when your patch gets "accepted", but that's not exactly the point
  686. [21:03:04] <flaccid> but who feels like they have achieved anything by forcing to fork
  687. [21:03:20] <flaccid> i don't like that, it defeats the purpose
  688. [21:03:34] <flaccid> all this behaviour makes the software, um, patchy
  689. [21:04:01] <singpolyma> And what, in your mind, is "the purpose" that is being defeated by running a forked version?
  690. [21:05:43] <flaccid> i got better things to do
  691. [21:05:47] <flaccid> im also a socialist
  692. [21:05:53] <flaccid> eddy replied fast "At the moment the StartCom CA root is supported by Apple and Mozilla software. Microsoft will start support in September this year. There might be others which we don't know about."
  693. [21:06:02] <flaccid> i told him about how i couldnt get any firefox to go
  694. [21:22:51] * remitaylor ( has joined #openid
  695. [21:24:57] * daleolds ( Quit ("Leaving.")
  696. [21:25:17] * daleolds ( has joined #openid
  697. [21:39:31] * Orango (n=s-e@wikimedia/Orango) Quit ("Leaving")
  698. [22:27:08] * qwp0 ( Quit (Read error: 110 (Connection timed out))
  699. [22:39:28] * daedeloth ( Quit (Remote closed the connection)
  700. [22:58:33] * MrTopf ( has joined #openid
  701. [23:15:06] * MrTopf ( Quit ()
  702. [23:15:17] * xpo (n=xpo@bearstech/xpo) has joined #openid
  703. [23:23:01] * jochen_ ( Quit (Remote closed the connection)
  704. [23:40:26] * remitaylor ( Quit ("Leaving.")
  705. [23:46:57] * daleolds ( has left #openid

These logs were automatically created by OpenIDlogbot on using a modified version of the Java IRC LogBot.