IRC Log for #openid on 2009-06-26

Timestamps are in UTC.

[00:02:02] * MacTed (n=Thud@66.30.249.84) Quit (Read error: 110 (Connection timed out))
[00:13:39] <flaccid> any ops: security update link in the topic is dead
[00:22:23] * mosites (n=mosites@216.205.244.3) has joined #openid
[00:24:34] * shigeta (n=shigeta@sakkgw2.sixapart.jp) has joined #openid
[00:45:54] <keturn> huh. alnk.org is down. I wonder what the story is behind that.
[00:46:43] * keturn changes topic to 'http://openid.net || Got OpenID library questions? Check stackoverflow.com.'
[00:52:32] <flaccid> is that security thing a patch and is it in the latest lib versions ?
[00:54:49] * jonny_ (n=chatzill@p1089-ipadfx01maru.tokyo.ocn.ne.jp) Quit (Read error: 110 (Connection timed out))
[01:00:44] <keturn> it was an announcement of new lib versions a while back
[01:01:21] <flaccid> so i'll take that as a yes :)
[01:07:32] * mosites (n=mosites@216.205.244.3) Quit ()
[01:27:19] * xpo (n=xpo@bearstech/xpo) Quit ()
[01:43:08] * daleolds (n=daleolds@137.65.157.8) has left #openid
[01:54:01] * xpo (n=xpo@bearstech/xpo) has joined #openid
[01:55:41] * xpo (n=xpo@bearstech/xpo) Quit (Client Quit)
[02:03:13] * singpolyma (n=singpoly@173-11-94-133-SFBA.hfc.comcastbusiness.net) Quit ("Lost terminal")
[02:14:04] * mosites (n=mosites@static-98-112-71-211.lsanca.dsl-w.verizon.net) has joined #openid
[02:22:55] * singpolyma (n=singpoly@c-76-21-5-96.hsd1.ca.comcast.net) has joined #openid
[02:26:16] * stub (n=stub@ppp-58-11-86-104.revip2.asianet.co.th) has joined #openid
[03:02:11] * jonny (n=chatzill@p1089-ipadfx01maru.tokyo.ocn.ne.jp) has joined #openid
[03:06:58] * singpolyma (n=singpoly@c-76-21-5-96.hsd1.ca.comcast.net) Quit (Read error: 60 (Operation timed out))
[03:24:52] * daleolds (n=daleolds@c-76-27-115-77.hsd1.ut.comcast.net) has joined #openid
[03:26:13] * daleolds (n=daleolds@c-76-27-115-77.hsd1.ut.comcast.net) has left #openid
[03:59:33] <jonny> flaccid: to what domain are those cookies tied?
[04:01:10] <flaccid> jonny the OPs . has to be otherwise it can't work and of course you can't do cross site/domain hijacking like that. so particularly if you have a fast connection the redirect will be fast and feel as though it just 'happens'
[04:01:36] <jonny> hmm
[04:01:53] <jonny> so with every page load the client browser has to do the roundtrip to the provider?
[04:01:58] <flaccid> so that being said, whats the issue remaining ?
[04:02:30] <flaccid> i believe so
[04:02:37] <flaccid> we can test
[04:04:05] <jonny> so you managed to log in once, and then keep the logged in session? I guess the example doesn't go that far
[04:04:43] <flaccid> yes but like i said, its your OP that has the session/cookie
[04:09:55] <jonny> ok
[04:10:34] <jonny> so with every page load, what would be the steps to do the authorizing in the background?
[04:10:48] <jonny> after getting the OK first time
[04:12:56] <flaccid> i don't understand
[04:14:37] <jonny> with the old style per-website login style, you log in once and then there's a session which makes it so you don't have to login all the time, until you logout/close browser/cookie runs out
[04:14:56] <jonny> I'm looking for the same pattern here...
[04:17:52] * singpolyma (n=singpoly@c-76-21-5-96.hsd1.ca.comcast.net) has joined #openid
[04:20:12] <flaccid> yes that was what we just talked about
[04:20:16] <flaccid> in firebug you can see the redirects
[04:21:40] <flaccid> so i logged in first via the example rp i put up, i then went to stackoverflow.com and put in my id there, i see bottom left the redirect behaviour, i confirm i in firebug - 2x GET for myopenid.com
[04:23:03] * shigeta_ (n=shigeta@sakkgw2.sixapart.jp) has joined #openid
[04:23:23] * jonny (n=chatzill@p1089-ipadfx01maru.tokyo.ocn.ne.jp) Quit (Remote closed the connection)
[04:23:45] * jonny (n=chatzill@p1089-ipadfx01maru.tokyo.ocn.ne.jp) has joined #openid
[04:23:50] <flaccid> wb
[04:23:54] <flaccid> [14:21] <flaccid> yes that was what we just talked about
[04:23:54] <flaccid> [14:21] <flaccid> in firebug you can see the redirects
[04:23:55] <flaccid> [14:23] <flaccid> so i logged in first via the example rp i put up, i then went to stackoverflow.com and put in my id there, i see bottom left the redirect behaviour, i confirm i in firebug - 2x GET for myopenid.com
[04:24:00] <jonny> so where is your consumer?
[04:24:06] <jonny> Can I try it out?
[04:24:11] <jonny> tx
[04:26:03] * shigeta (n=shigeta@sakkgw2.sixapart.jp) Quit (Read error: 60 (Operation timed out))
[04:26:34] <flaccid> i messaged this stuff earlier, did you not get ?
[04:27:17] <jonny> I'm don't think I follow
[04:27:44] <flaccid> i just pm'd you
[04:28:07] <flaccid> does chatzilla not support that or something ?
[04:28:29] <flaccid> i don't get what you don't follow
[04:29:05] <flaccid> [14:23] <flaccid> so i logged in first via the example rp i put up, i then went to stackoverflow.com and put in my id there, i see bottom left the redirect behaviour, i confirm i in firebug - 2x GET for myopenid.com - thus the single sign on via the session that is possible via the cookies my OP (myopenid.com) leaves
[04:31:51] <jonny> im trying out using openid to login to stackoverflow now
[04:32:02] <jonny> it prompts me to setup an account at stackoverflow.com
[04:32:25] * flaccid nods
[04:32:33] <jonny> I thought using the account from the other provider should be enough?
[04:32:49] <flaccid> what account from what other provider?
[04:32:56] <jonny> used myspace now
[04:33:11] <jonny> mixi didn't work :-P
[04:33:57] <flaccid> i don't use myspace and i don't even know what mixi is
[04:35:38] <jonny> it should matter right?
[04:36:00] <jonny> stackoverflow accepts my myspace login, and prompts me to create a new account
[04:36:16] <jonny> then what's the difference from just creating an account at stackoverflow from the beginning?
[04:36:45] <jonny> *shouldn't
[04:38:07] <singpolyma> jonny: they just use OpenID for authentication and then you need to create a local "profile"
[04:39:40] <flaccid> the difference is that you can use your openid and if you are already logged in via your op ie. logged in already (or did with an RP) you won't have to fill out a login form again
[04:40:29] <flaccid> so like i was saying before, i went to my example RP, put in my identity URL, it directed to my OP to login, so i did. then after that i opened a new tab, put in stackoverflow, clicked login and it logged me in automatically
[04:47:48] <jonny> the openid you used at your RP and stackoverflow is the same one?
[04:48:42] <flaccid> yes
[04:49:13] <flaccid> if openid was that insecure people would be having lots of fun stealing identities :)
[04:51:22] <jonny> hmm ok
[04:52:01] <jonny> I guess the whole deal with creating the session at the consumer side site is left outside the library
[04:52:49] <jonny> If that's the case, I'll just have to start coding :-P
[04:53:19] <jonny> the usage experience at stackoverflow.com isn't that bad actually :-)
[04:53:22] <flaccid> oh totally, i think i was just so busy the other day that i was misinterpreting you
[04:53:31] <flaccid> the example rp doesn't use any session stuff
[04:53:52] <jonny> yes the example just gets the OK and maybe a nickname or so...
[04:53:52] <flaccid> stackoverflow is a pretty example of a decent RP implementation
[04:54:22] <jonny> oh btw mixi is the largest community - in japan ;-)
[04:54:25] <flaccid> yeah the RP can recieve the extra data of sreg or ax but thats about the extent of it
[04:54:31] <flaccid> fair enough
[04:55:05] <jonny> they release the nickname.. myspace doesn't... hm... well I'll likely mimic the stackoverflow approach and calla new user "unnamed"..
[04:55:07] <flaccid> doesn't look like it supports openid
[04:55:39] <jonny> where who?
[04:55:41] <flaccid> yeah its up to the OP if they support providing the extra profile data via AX or SReg..
[04:55:46] <flaccid> mixi
[04:55:55] <jonny> it works with the example
[04:55:59] <jonny> but not at stackoverflow..
[04:56:18] <flaccid> are you saying they are an OP only ?
[04:56:20] <jonny> I even put in my copmlete openid url there but no
[04:57:02] <jonny> Ok thanks for your help...
[04:57:11] <jonny> I think I understand, slowly... :-)
[04:57:14] <jonny> lunch time
[04:57:30] <flaccid> jonny are they an OP only? if you give me your openid identity URL there I'll tell you what their problem is..
[04:57:52] <jonny> https://id.mixi.jp/979649
[04:58:48] <jonny> there's a page within the community where you can uncheck if you want your nickname exposed or not...
[04:58:54] <jonny> it's default to on
[04:59:15] * mosites (n=mosites@static-98-112-71-211.lsanca.dsl-w.verizon.net) Quit ("Streamy (http://www.streamy.com/)")
[05:00:33] <flaccid> so you get 'Authentication error; not a valid OpenID.' right ?
[05:01:54] <jonny> it says..
[05:02:06] <jonny> Unable to log in with your OpenID provider:
[05:02:08] <jonny> OpenID parameter 'session_type' was missing from the query.
[05:02:22] <jonny> im thinking it's actually a mistake at mixi's side
[05:02:40] <jonny> I clicked a "always accept" button there instead of "accept for now"...
[05:02:43] <jonny> and since then things are strange
[05:03:11] <flaccid> yes there seems to be several problems. the main one being that it redirects the identity URL !
[05:03:54] <flaccid> it redirects it to http://mixi.jp/show_friend.pl?id=979649 which does not have any openid stuff in it
[05:04:41] <flaccid> however it didn't do that when i first did it, its weird. i think they tried to put UA sniffing on it
[05:05:29] <jonny> ..hmm. i'm not sure.. but, i'll leave that for now..
[05:05:30] <flaccid> and only allow people logged in (members) to view profiles. this is a very bad practice and obviously breaks the possibility of logging in
[05:05:42] <flaccid> it certain is entirely mixi's bad implementation of openid.
[05:05:45] <jonny> I guess they might be working on it..
[05:05:54] <flaccid> they are an OP only and have failed to even do that half properly
[05:05:58] <flaccid> probably not
[05:06:20] <jonny> yes only logged in users can see profiles
[05:06:49] <jonny> it's very "tight" like, you can't sign up unless you have an email tied to japanese mobile phone services etc
[05:07:23] <jonny> even though it's a huge site
[05:08:55] <flaccid> unfortunately that breaks OpenID discovery entirely to RPs
[05:09:21] <flaccid> if an RP can't fetch the html page to get the link element to the OP endpoint it can't do anything
[05:09:26] <jonny> ah
[05:09:37] <jonny> Im guessing thats the problem then, not that I clicked "always accept"
[05:09:43] <flaccid> thats incredibly bad..
[05:09:45] <jonny> they probably made some change that's breaking things
[05:10:04] <jonny> because it worked just the other day
[05:10:36] <flaccid> thats because they attempt to UA sniff
[05:10:58] <flaccid> well at least i think they did
[05:11:02] <jonny> how does the RP usually get the endpoint? I saw something about a "wellknown" name somewhere
[05:11:10] <flaccid> just like i said
[05:11:25] <flaccid> either by html or xrds discovery
[05:11:56] <jonny> hm ok well they mustve made some change, on purpose or mistake
[05:12:20] <flaccid> its very bad..
[05:12:31] <jonny> after my lunch im just gonna implement the stackoverflow way of things
[05:12:51] <flaccid> they also redirect http://id.mixi.jp/979649 to https://id.mixi.jp/979649 and then ERROR: Certificate verification error for id.mixi.jp: unable to get local issuer certificate
[05:12:59] <flaccid> there is at least 4 problems i can see
[05:13:28] <flaccid> if you are implementing your own RP then the example/consumer does totally work as we just proved :)
[05:14:50] <jonny> yes I guess I never had a problem with the example or the library, except my expectations of it
[05:15:37] <flaccid> hey singpolyma it is bad practice to redirect the identity url isn't it, RPs can't support that
[05:16:11] <flaccid> which expectations were they sorry ?
[05:16:42] <singpolyma> flaccid: depends who you talk to. RPs can support it just fine, but I think it's not allowed in 2.0 ... it was allowed in 1.0 and 1.1 for sure, and still works with all major libraries I've tested
[05:17:28] <flaccid> okies. and whats the go with https identity URLs especially if the cert fails checks?
[05:17:55] <flaccid> in mix
[05:18:02] <flaccid> in mixi's case its pretty bad.. ERROR: Certificate verification error for id.mixi.jp: unable to get local issuer certificate
[05:18:11] <singpolyma> Well, that's up to your discretion I guess. With something security-based like OpenID one should use TLS if at all possible and fail if it fails, IMHO
[05:19:00] <flaccid> but why would using a https identity url make anything more secure, its just the identity url to do discovery on by the RP
[05:19:29] <singpolyma> flaccid: are you familiar with DNS poinsoning?
[05:19:51] <flaccid> don't think so
[05:20:15] <singpolyma> Basically, when you resolve a DNS address, you can't trust that at all
[05:20:23] <singpolyma> It may be spoofed
[05:20:34] <singpolyma> So you may be doing discovery on bob.com, but get the HTML from evil.com
[05:20:37] <singpolyma> without TLS
[05:20:50] <flaccid> ah yes i see your point now
[05:21:04] <flaccid> actually i don't
[05:21:16] <flaccid> https://foo.evil.com/ can still have a valid cert ..
[05:21:32] <singpolyma> yes, but not for https://bob.com
[05:22:08] <singpolyma> If I try to fetch bob.com and get a cert for evil.com, I know someone is fucking with me
[05:22:08] <flaccid> yes but what does dns hijacking have to do with tls or no tls
[05:22:20] <flaccid> true
[05:22:26] <singpolyma> and evil.com *cannot* have a cert for bob.com
[05:22:32] <singpolyma> not a valid one
[05:22:57] <singpolyma> So if I only ever use TLS, you cannot hikack my DNS calls without me knowing
[05:23:00] <flaccid> then its up to the RP's security policy right on whether a self-signed cert matching the hostname is valid right ?
[05:23:20] <singpolyma> self-signed certs don't count unless you get them out-of-band
[05:23:34] <singpolyma> You need to know objectively that the cert is valid
[05:23:36] <flaccid> yes, 'don't count' is policy of the RP but
[05:23:46] <flaccid> what you mean by 'out of band'
[05:23:59] <singpolyma> Sure, RPs choose to allow non-TLS, they can choose to allow bad TLS :)
[05:24:14] <singpolyma> out of band : ie, not over the same protocol (HTTP)
[05:24:28] <flaccid> yes in this case bad tls is self signed
[05:24:34] <singpolyma> If I send you a cert over HTTP, but you have not validated I am who I say, you cannot know my cert is valid
[05:24:48] <jonny> there's a comment on a blog about the site: "that makes me think they are internazis"
[05:25:01] <flaccid> self signed is ok i guess for other protocols such as vpn - shouldn't have to buy a cert in that case
[05:25:31] <singpolyma> If I self-sign my cert, and then we meet in a bar and I hand you an SD card with my cert, and then you install it, that's just as good as a cert from a known issuer (as long as you know I really control bob.com)
[05:25:46] <flaccid> yeah
[05:26:08] <flaccid> so in the case of using a self signed cert, you really should be checking the IP address that is resolved as well
[05:26:20] <singpolyma> Sure, accepting a self-signed the first time and storing it for all checks after that is as good as vpn/ssh "yes/no on first connect" security
[05:26:43] <singpolyma> There's no excuse to use a self-signed TLS IMHO, since startcom will give you one for free
[05:27:01] <flaccid> startcom, is that run by a dude called eddy ?
[05:27:32] <singpolyma> I dunno, it's a TLS issuer, and it's on the debian and firefox (and other) "valid issuer" list, and their lowest-grade certs are free
[05:28:29] <flaccid> yeah eddy nigg thats right, think i talked to him once and hes listed on the openid directory..
[05:28:44] <singpolyma> :)
[05:28:48] <flaccid> i had no idea you could get free tls ..!!
[05:29:28] <singpolyma> Yes. The only reason I don't use it is you can't get free static IPs, and my host won't allow TLS without a static IP
[05:29:34] <singpolyma> because of how openssl works
[05:30:03] <singpolyma> Also, to be fair, startcom certs will appear with the same warnings as self-signed certs to IE users
[05:30:14] <singpolyma> but other browsers and OSs have it on the list
[05:30:22] <flaccid> ah makes sense
[05:30:25] <flaccid> bloody microsoft
[05:30:31] <singpolyma> Yeah
[05:30:49] <singpolyma> But if you're thinking self-signed anyway, it's much ahead of that :)
[05:31:09] <flaccid> i've got an Amazon EC2 instance. the limitation i have there is you only get 1 public IP address per instance :( so i can't do dedicated IP hosting for shared hosting ..
[05:31:25] <singpolyma> yeah
[05:31:40] <flaccid> yeah i'll go and get one from startcom now. its just until we have income to justify buying verisign or whatever
[05:31:56] <singpolyma> Yeah :)
[05:32:49] <flaccid> hey thanks for filling in some gaps there!
[05:33:40] <flaccid> oh one other thing. is https://myid.foo.suf considered a different identifier to http://myid.foo.suf ?
[05:37:43] <flaccid> oh and singpolyma opera doesn't support startcom :(
[05:45:39] <flaccid> oh and singpolyma - fail on startcom ssl... https://www.startssl.com/logon.ssl - SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert)
[05:46:02] <singpolyma> interesting
[05:46:09] <flaccid> that was in firefox too
[05:46:13] <singpolyma> it's worked before for me
[05:46:43] <singpolyma> uh... it's working for me right now
[05:46:45] <singpolyma> in firefox
[05:46:47] <singpolyma> what OS are you?
[05:46:55] <flaccid> windows xp atm
[05:48:47] <jonny> so ah, facebook, do they provide openids?
[05:49:00] <singpolyma> jonny: no, they consume them
[05:49:22] <singpolyma> flaccid: hmm... I don't claim to be an expert on who has lists where
[05:49:26] <singpolyma> it's working for me
[05:49:27] <singpolyma> heh
[05:49:36] <jonny> they introduced the aliases the other week, I thought the purpose was just that
[05:49:53] <flaccid> hehe np. could you answer my other little question?
[05:52:35] * xpo (n=xpo@bearstech/xpo) has joined #openid
[05:55:07] * xpo (n=xpo@bearstech/xpo) Quit (Client Quit)
[05:56:51] <singpolyma> oh, yes, OpenID identifiers are URIs, so scheme matters
[05:59:41] <flaccid> hmm that means you kind of have two identities
[06:00:08] <flaccid> but hey you can fix that right if you redirect the http -> https on your identity url right ?
[06:00:47] <singpolyma> yes
[06:02:04] * stub (n=stub@canonical/launchpad/stub) Quit (Nick collision from services.)
[06:02:05] * stub1 (n=stub@ppp-58-8-16-63.revip2.asianet.co.th) has joined #openid
[06:02:29] * stub1 is now known as stub
[06:03:12] <flaccid> cool as. all good for me then :)
[06:32:44] * jochen (n=jochen@145-50-169-81.mobileinternet.proximus.be) has joined #openid
[06:32:46] * jochen (n=jochen@145-50-169-81.mobileinternet.proximus.be) Quit (Remote closed the connection)
[06:39:44] * singpolyma (n=singpoly@c-76-21-5-96.hsd1.ca.comcast.net) Quit ("Lost terminal")
[07:15:16] * sjobeck (n=sjobeck@208-151-246-203.dq1sn.easystreet.com) has joined #openid
[07:17:14] * sjobeck (n=sjobeck@208-151-246-203.dq1sn.easystreet.com) Quit (Client Quit)
[07:30:22] * jochen (n=jochen@router.begen1.office.netnoc.eu) has joined #openid
[07:30:31] * jochen (n=jochen@router.begen1.office.netnoc.eu) Quit (Remote closed the connection)
[07:30:54] * jochen (n=jochen@router.begen1.office.netnoc.eu) has joined #openid
[07:54:33] * xpo (n=xpo@bearstech/xpo) has joined #openid
[08:00:12] * ponchopilate (n=markthom@host81-137-232-55.in-addr.btopenworld.com) has joined #openid
[08:11:08] <flaccid> dang i changed my tls cert to the StartSSL one and yeah i get unknown cert authority in every browser its not to dang
[08:30:37] * jochen_ (n=jochen@router.begen1.office.netnoc.eu) has joined #openid
[08:30:53] * jochen_ (n=jochen@router.begen1.office.netnoc.eu) Quit (Remote closed the connection)
[08:31:22] * jochen_ (n=jochen@router.begen1.office.netnoc.eu) has joined #openid
[08:32:23] * jochen (n=jochen@router.begen1.office.netnoc.eu) Quit (Read error: 60 (Operation timed out))
[08:34:51] * jochen_ (n=jochen@router.begen1.office.netnoc.eu) Quit (Remote closed the connection)
[08:36:25] * jochen (n=jochen@router.begen1.office.netnoc.eu) has joined #openid
[08:39:07] * hillsy (n=shhi2@npfit3.dh.bytemark.co.uk) has joined #openid
[08:42:03] * hillsy (n=shhi2@npfit3.dh.bytemark.co.uk) Quit (Remote closed the connection)
[08:42:10] * hillsy_ (n=shhi2@npfit3.dh.bytemark.co.uk) has joined #openid
[08:43:16] * hillsy_ (n=shhi2@npfit3.dh.bytemark.co.uk) Quit (Client Quit)
[08:43:31] * hillsy (n=shhi2@npfit3.dh.bytemark.co.uk) has joined #openid
[08:55:16] * daedeloth (n=daedelot@ip-81-11-173-163.dsl.scarlet.be) has joined #openid
[09:54:10] * shigeta (n=shigeta@sakkgw2.sixapart.jp) has joined #openid
[10:10:54] * shigeta_ (n=shigeta@sakkgw2.sixapart.jp) Quit (Read error: 110 (Connection timed out))
[10:20:44] * Orango (n=s-e@wikimedia/Orango) has joined #openid
[10:22:27] * Orango (n=s-e@wikimedia/Orango) Quit (Client Quit)
[10:33:37] * x10 (n=x10@c-67-169-167-74.hsd1.ca.comcast.net) has joined #openid
[10:33:56] * x10 (n=x10@c-67-169-167-74.hsd1.ca.comcast.net) has left #openid
[11:05:47] * shigeta (n=shigeta@sakkgw2.sixapart.jp) Quit ("Leaving...")
[11:18:12] * MrTopf (n=cs@p5B395E59.dip.t-dialin.net) has joined #openid
[11:26:22] <jonny> so aahh
[11:26:42] <jonny> beep me when facebook implements openid as server ok?
[11:26:54] <jonny> I want to dispose of fb connect
[11:32:31] <jonny> also what is the proper endpoint of google's?
[11:41:04] * qwp0 (n=qwp0@gw.localnet.sk) Quit (Remote closed the connection)
[11:42:31] * qwp0 (n=qwp0@gw.localnet.sk) has joined #openid
[11:42:37] * Joran (n=martyn@78-105-117-5.zone3.bethere.co.uk) has joined #openid
[11:44:09] <Joran> hi guys, is there any active (ideally multi-user) standalone servers any more, it would seem that most have died a death, and the one thing I loved about the idea of openid is that you don't have to rely on a third party and give them all your details
[11:44:29] <Joran> (everything else I liked rather than loved, to be fair!)
[11:47:14] <qwp0> jonny: http://code.google.com/apis/accounts/docs/OpenID.html#endpoint
[11:59:11] * MacTed (n=Thud@66.30.249.84) has joined #openid
[12:05:17] * stub (n=stub@canonical/launchpad/stub) Quit ("Leaving.")
[12:16:17] * daedeloth (n=daedelot@ip-81-11-173-163.dsl.scarlet.be) Quit (Remote closed the connection)
[12:17:36] <jonny> qwp0: thanks
[12:27:09] <flaccid> jonny there are already plenty of openid providers, there is no need for facebook to become an OP. what we need is facebook to be a real RP. so far they are having issues even behing half an RP: http://wiki.developers.facebook.com/index.php/OpenID_Known_Issues
[12:28:13] <flaccid> Joran the example/server in the janrain libs works fine
[12:28:14] <jonny> facebook has a good load of users, so a lot of users could make use of openid that way....
[12:29:00] <jonny> and its in a way nice that FB has the ideal to have "real" people with real names, as opposed to many other communities where users have fake aliases, or jibberish email addresses etc
[12:29:35] <flaccid> jonny they can do that without becoming a provider via delegation. a good fair whack of FB users probably already have an openid somewhere else like yahoo, google, microsoft etc.
[12:29:53] <jonny> true
[12:30:21] <jonny> well in my current implementation there's hardly any difference now between all hte openids and the facebook connect
[12:30:33] <jonny> except the fb connect uses ugly reloading javascript...
[12:31:03] <flaccid> jonny well facebook doesn't support any open social technologies. its just another big commercial entity not sharing
[12:31:55] <flaccid> well let me correct that, they use some open social technologies but not in a standard way
[12:32:14] <Joran> flaccid: I'm fighting with simpleid at the moment, I might try that if I can find it... it doesn't look easy to find
[12:32:43] <flaccid> Joran its distributed in the janrain libs, pretty easy to find
[12:32:48] <qwp0> jonny: The Facebook guys have begun support twitter-like usernames recently, too -- they seem to have realized this is the way Internet identities are.
[12:33:14] <flaccid> Joran do keep in mind that there are enough openid providers out there. you might want to checkout delegation
[12:33:22] <Joran> flaccid : the janrain libs aren't advertised as "the janrain libs" on their website
[12:33:33] <Joran> flaccid : yeah, but I don't want to delegate
[12:33:37] <flaccid> Joran um so ?
[12:34:02] <Joran> I have my own web server and am happy keeping my information under my control
[12:34:39] * ertai (n=ertai@peray.inria.fr) has joined #openid
[12:34:57] <flaccid> Joran thats fine. so http://openidenabled.com/php-openid/ and at the bottom of that page link to the demo http://openidenabled.com/php-openid/trunk/examples/server/
[12:35:20] <Joran> php-openid is unsupported and abandoned.
[12:35:30] <flaccid> the examples provided in the libs helped me to understand and get to know the specification
[12:35:35] <jonny> so
[12:35:41] <jonny> the mixi endpoint
[12:35:49] <jonny> where did it go...
[12:37:00] <flaccid> Joran no its not, you are refering to 'PHP Standalone OpenID Server' as per http://openidenabled.com/unsupported-software/
[12:37:17] <flaccid> jonny sorry ?
[12:39:30] <Joran> flaccid: I see... hmm....
[12:41:11] <flaccid> :)
[12:41:43] <jonny> oh hm the live demo consumer works with mixi...
[12:41:45] <flaccid> Joran so the http://openidenabled.com/php-openid/trunk/examples/server/ is exactly what is included
[12:41:47] <jonny> i must have messed up somewhere..
[12:42:09] <flaccid> jonny no they did. remember you are probably logged in to that site.
[12:42:25] <Joran> oh, yeah, that's obviously a fully functional server... doesn't support passwords, sreg or any of the features the ones that were abandoned did. *sigh*
[12:42:35] <jonny> but it works from http://openidenabled.com/php-openid/trunk/examples/consumer/
[12:43:00] <flaccid> but i did find that what that site spits out is a bit random and they might do UA sniffing for some reason or at least try to determine if the request is an openid auth
[12:43:26] <flaccid> jonny sometimes the html elements go in, sometimes not and i never got any xrds http headers
[12:45:41] <flaccid> jonny like just then, did it in opera, it did the discovery and then went to the login
[12:46:14] <flaccid> my example rp which is exactly the same returns Authentication error; not a valid OpenID. in safari
[12:46:40] <jonny> what do you mean the html elements go in??
[12:47:06] <jonny> you mean you reach the login page?
[12:47:06] <flaccid> and just then in firefox it worked
[12:47:17] <flaccid> first step is html or xrds discovery to get the endpoint
[12:47:21] <jonny> ah
[12:47:22] <jonny> I see
[12:47:33] <jonny> I installed Firebug earlier, is that what you use to see the jumps?
[12:47:47] <flaccid> considering it works in some browsers its almost like they UA snif to prevent using in certain browsers
[12:47:55] <flaccid> yep thats the easiest way
[12:47:56] <jonny> it should be enough to enter "mixi.jp" in the input
[12:48:17] <flaccid> redirects to https://mixi.jp/openid_server.pl
[12:48:20] <jonny> even though I found https://mixi.jp/openid_server.pl but it doesnt work
[12:48:23] <jonny> yeah same
[12:48:48] <flaccid> define dowsnt work ... it gives you the login box to login, i just don't have an account obviously
[12:49:20] <jonny> the library tells me "Authentication error; not a valid OpenID." in my imlementaiton
[12:49:59] <jonny> i'll try with all browsers i have. ff3, ie6, chrome, safari 4
[12:50:33] <flaccid> yeah true
[12:50:39] <flaccid> i think you could be right
[12:52:28] <jonny> ok now the example doesnt even work anymore
[12:52:45] <jonny> maybe there's something like a silent "sorry tried too many times"
[12:54:11] <flaccid> jonny so you managed to get a fail on the openidenabled demo example consumer ?
[12:54:31] <jonny> actually the openidenabled demo still works...
[12:54:40] <jonny> my own demo worked too, for a while.. but not now...
[12:54:45] * ertai (n=ertai@peray.inria.fr) has left #openid
[12:54:45] <jonny> sigh
[12:54:56] <flaccid> yeah still think its a random fail on their behalf
[12:55:00] <jonny> yeah i can log in all the way on openideanbled
[12:55:07] <flaccid> it seemed a little random
[12:55:47] <flaccid> go to the discovery part in the example and see what it gets when it does it
[12:55:53] <flaccid> i can do that soon probably tonight
[12:56:00] <jonny> hmm how?
[12:56:11] <jonny> You have successfully verified https://id.mixi.jp/9796491 as your identity. Your nickname is 'ä¸�ä»�'.
[12:56:13] <jonny> No PAPE response was sent by the provider.
[12:56:15] <flaccid> it'll be in the code
[12:57:20] <flaccid> but yeah the example consumer i set up has not failed on any other provider i have tested and it is totally untouched from darcs get http://openidenabled.com/files/php-openid/repos/2.x.x/ and then symlink to example/consumer ..
[13:04:25] <Joran> argh. clamshell works but doesn't do yadis or delegation :S
[13:06:08] <flaccid> that thing is horrible
[13:09:16] <flaccid> i don't know if that thing supports openid 2.0
[13:09:51] <flaccid> in that time you spent wasting, you could already have used the one available that supports what you need
[13:20:12] <flaccid> jonny yeah he could be the store or something in getConsumer() at least
[13:20:53] <jonny> me?
[13:21:04] <jonny> don't blame me!
[13:21:09] <flaccid> im not
[13:21:11] <flaccid> at all
[13:21:40] <jonny> jo + tabbed?
[13:23:20] <flaccid> huh?
[13:34:21] <Joran> flaccid: what one available supports what I need? multiple users authenticated, sreg and yadis? I fail to see a host-your-own server that provides that without coding.
[13:35:28] <flaccid> Joran technically the example/server does that. yes anything else you want to do you will need to code.
[13:35:52] <Joran> it doesn't do authentication at all!
[13:36:03] <Joran> i.e. password per user
[13:36:07] <flaccid> jonny so far i have established that $auth_request = $consumer->begin($openid); is returning null. so i will check the library inputs and outputs
[13:36:22] <flaccid> Joran it supports unlimited users with openid authentication, technically.
[13:36:39] <flaccid> Joran go learn some php/mysql. it wouldn't be hard to hook up to a user table.
[13:36:54] <flaccid> you did not specify a password requirement :)
[13:37:36] <Joran> flaccid, not the point. I am actually a developer, but I don't want to spend my time reinventing the wheel.
[13:38:07] <flaccid> Joran the wheel you are after is not available publicly.
[13:38:47] <Joran> it's also one of the wheels that lack of will deter openid takeup :(
[13:39:31] <flaccid> Joran i disagree. there already plent of openid providers out there, we don't need any more.
[13:41:09] <Joran> flaccid: a lot of people want freedom from their data being outside their control.
[13:41:24] <qwp0> flaccid: that's pretty weird reasoning, IMO
[13:42:01] <Joran> how can an end-user have any more confidence in say "myOpenId" than "google" or "yahoo"?
[13:42:05] <flaccid> openid uptake is not about creating openid providers, its about supporting openid login
[13:42:47] <flaccid> if you want to run your own servers, then write your own code. atm you are looking to trust someone elses code anyway
[13:43:41] <Joran> one of the beauties of opensource code is that trusting the code is not a leap of blind faith
[13:45:05] <flaccid> and in the time you have spent complaining you could of modified the example/server to use mysql with a user table.
[13:45:25] <flaccid> thats one of the beauties of open source.
[13:47:02] <Joran> no point arguing here I guess, you disagree with my pov and won't credit my opinions with any worth so there's no point even stating them obviously.
[13:48:23] <flaccid> i wasn't aware that i needed to credit your opinions. you didn't credit mine either
[13:50:05] <flaccid> jonny openid discovery with mixi is failing. somewhere in the instantiation of the consumer object when creating the server endpoint object
[13:50:34] <jonny> oaky
[13:50:40] <jonny> *okay
[13:52:17] <flaccid> i have to go do a few things but i will continue debugging after that. its possible the html discovery is failing because of their charset/non english/no dtd etc. but thats a just a guess at this stage - need to check if its trying html or xrds or both. but anyway back a little later
[13:52:41] <Joran> well it appears to me as an end-user, openid is not ready for usage. That indicates I need not implement it for web sites I create, as people I target would find similar results to me.
[13:54:23] <jonny> huh why Joran?
[13:54:48] <jonny> oh confidence?
[13:54:52] <Joran> because I don't want a third party being in control of my data
[13:55:03] <jonny> so you dont sign up for hotmail or gmail?
[13:55:17] <Joran> not when I have a choice
[13:55:32] <Joran> (I use scroogle to search for example)
[13:55:38] <jonny> lol
[13:55:47] <Joran> and that's the point
[13:55:49] <qwp0> Joran: are you running a Freenode server? because otherwise a third party is being in control of your data
[13:56:53] <Joran> I have a choice to use openid and if it were useable I would. but I'm not about to think myopenid is any better than any other company for data security, govt. cooperation or any other facet of data manipulation
[13:57:17] <jonny> Joran so you'd rather implement your own member authentication on your own website, rather than let players like google, myopenid etc do that for you?
[13:57:26] <jonny> would people trust you more than any other?
[13:57:45] <Joran> jonny: yes, because I'm talking about family and friends.
[13:57:53] <jonny> ok
[13:58:10] <jonny> but if you make a website for general customers/users...
[13:58:13] <Joran> limited numbers - probably max 10
[13:58:15] <jonny> they won't be your friends ;)
[13:58:21] <Joran> I'm not aiming to
[13:58:32] <qwp0> Joran: well, you can run your own OpenID server (which is a bit problematic as we've seen but it's possible)
[13:59:22] <Joran> qwp0: there appear to be none that are functional without coding, so I would disagree with you, I can't.
[14:01:35] <Joran> jonny: no, it's about confidence - I do actually create other websites, but I don't have confidence that openid will take off because there's too high a hurdle to become a provider. So my technical advice to people asking if it's worth implementing it, would be "it's not worth it due to the minority audience".
[14:02:03] <jonny> well
[14:02:21] <jonny> on openid.net they say they have millions of openid enabled users
[14:02:21] <qwp0> Joran: as far as you can type and are even able to run your own web server, you should be able to run an OpenID server as well; the fact it requires a little coding doesn't mean you can't run your own server
[14:02:25] <jonny> that would be all google users etc
[14:02:38] <jonny> so minority, that depends on what you mean
[14:02:41] <Joran> the people imho who are likely to be early adopters are the very people who would no more likely to sign up for myopenid as google.
[14:03:16] <qwp0> Joran: actually, when you run a website which is not OpenID-enabled you don't allow other users to control their identities what is apparently one of your main concerns
[14:03:33] <jonny> and when mixi gets their thing going, you have 80% of the community share of Japan connected to openid..
[14:04:01] <jonny> i'd say it looks promising
[14:04:16] <Joran> qwp0: true, but my priorities differ personally to professionally.
[14:04:27] <jonny> ok, i have to get home now... ttyl
[14:04:40] <Joran> bye jonny
[14:04:44] <jonny> bye
[14:04:47] * jonny (n=chatzill@p1089-ipadfx01maru.tokyo.ocn.ne.jp) Quit ("ChatZilla 0.9.85 [Firefox 3.0.11/2009060215]")
[14:05:42] <Joran> if a forum I'm using has openid abilities of course I'll enable it - it's a zero cost then
[14:08:21] <qwp0> Joran: well, you should use a forum that provides support for OpenID logins ;)
[14:10:55] <Joran> qwp0: I do but it's not a priority in choosing one, because I simply don't see it taking off because in the end as it says on openid.net : "In the end you should choose a Provider from a company which you trust."
[14:12:18] <Joran> and how many internet companies exist that any of my social circle trust? not many, if any.
[14:18:29] <qwp0> Joran: as a webmaster, you should support OpenID because it's (one of) the most promising SSO/identity management systems out there; as an end-user, the more sites are OpenID-enabled, the bigger is the probability that an easy-to-install OP is created and therefore you can install/use it
[14:19:14] <qwp0> ...without letting any third party control your data
[14:20:00] <qwp0> I think we should mix the webmaster/end-user POV's
[14:20:04] <qwp0> should not
[14:20:37] <Joran> qwp0: lovely sentiments, or I can just cope without until such time as it becomes a sensible option. As a webmaster, if it doesn't cost me time, I'll enable openid, if it does but only a little, I will, if it costs a lot of time then I won't.
[14:20:57] * Orango (n=s-e@wikimedia/Orango) has joined #openid
[14:26:22] <qwp0> Joran: with most of major wikis (Mediawiki has an OpenID extension) / CMS's (Drupal as well) / forum systems (I guess a mod for phpBB exists, too) making a site an RP is not a problem
[14:27:08] <Joran> yeah, most of the time I do find there's a module for openid login for any software I use.
[14:28:35] <qwp0> so almost all your web sites allow OpenID logins, right?
[14:30:23] <Joran> no, 'cos most of my web sites either don't have logins or the logins are limited groups (and so the data is already held elsewhere)
[14:31:25] <Joran> there's only one site I host that could benefit from openid and as I'm barely involved with it these days, I am not gonna stir it up
[14:36:47] <qwp0> thus you're rather a user than a webmaster when dealing with OpenID, aren't you?
[14:37:52] <qwp0> and your main problem is that there is no provider, which doesn't require some additional coding, available, right?
[14:38:07] <qwp0> provider as software
[14:39:28] <Joran> currently yes
[14:40:23] <qwp0> I think I may have a look at it then, since I'm interested how hard it is to modify the server ;)
[14:40:31] <Joran> :-)
[14:41:40] <Joran> I would be overjoyed to have a provider that just "works" - I don't care much about the storage engine so long as it's not ridiculously insecure!
[14:41:59] <qwp0> 'K, I'll have a look :)
[14:43:19] <Joran> qwp0: shall I /msg you my email address?
[14:43:33] <qwp0> Joran: why not ;)
[14:55:34] * daleolds (n=daleolds@c-76-27-115-77.hsd1.ut.comcast.net) has joined #openid
[14:58:38] * Orango (n=s-e@wikimedia/Orango) Quit ("Leaving")
[14:59:26] <Joran> when did openvatar go bellyup?
[15:00:43] * daleolds (n=daleolds@c-76-27-115-77.hsd1.ut.comcast.net) Quit ("Leaving.")
[15:03:55] * hillsy (n=shhi2@npfit3.dh.bytemark.co.uk) Quit ("Leaving")
[15:07:27] * sjobeck (n=sjobeck@208-151-246-203.dq1sn.easystreet.com) has joined #openid
[15:14:34] * daedeloth (n=daedelot@ip-81-11-173-163.dsl.scarlet.be) has joined #openid
[15:15:08] * benblack (n=bb@207.105.81.105) has joined #openid
[15:26:43] * sjobeck (n=sjobeck@208-151-246-203.dq1sn.easystreet.com) Quit ()
[15:34:24] * sjobeck (n=sjobeck@64.122.13.55) has joined #openid
[15:36:05] * sjobeck (n=sjobeck@64.122.13.55) has left #openid
[15:41:32] * daleolds (n=daleolds@c-76-27-115-77.hsd1.ut.comcast.net) has joined #openid
[15:59:15] * elliottcable (n=ec@ec2-75-101-138-129.compute-1.amazonaws.com) Quit (Remote closed the connection)
[16:10:00] * singpolyma (n=singpoly@c-76-21-5-96.hsd1.ca.comcast.net) has joined #openid
[16:18:20] <flaccid> Joran so you are happy to keep other people's data, isn't that a bit hypocritical?
[16:19:35] <Joran> flaccid: nope. the data I hold on my server about others is only data that is needed for the application.
[16:20:12] <flaccid> Joran: you have that same choice with any openid provider.
[16:21:16] <Joran> it's not about that though - if I run my own openid provider, it's on my server.
[16:21:35] <Joran> I will allow friends and family to use it too.
[16:21:35] <flaccid> before you were saying its about that
[16:21:51] <flaccid> you also said you were a developer, but seem to be either too lazy or not competent to modify some code
[16:23:36] <Joran> flaccid: keep the veiled insults to yourself, thanks. I am not only a developer, nor only a web developer nor only a user. As a user I do not want to have to do development to host my own openid service. Much as I wouldn't want to write an smb server to share files with a windows box!
[16:24:35] <singpolyma> flaccid: You are a bit quick to be condescending sometimes :)
[16:25:27] <flaccid> sure but with good reason
[16:28:05] <flaccid> the janrain libs are provided free and open under the apache license 2.0. lots of people put time into the openid specification and the software such as the libraries which come with example consumers and providers. free speech and free beer all in one. i for one am totally grateful for the time, effort and money these people put in to provide what we available to date.
[16:28:45] * jochen (n=jochen@router.begen1.office.netnoc.eu) Quit (Read error: 113 (No route to host))
[16:29:49] <flaccid> singpolyma you have contributed yourself and as a user and developer i really appreciate it and will always recognise that it enabled me for example, to easily host my openid delegation to the provider(s) of my choice, whether it be myself or a 3rd party.
[16:30:08] <flaccid> i didn't come into this channel and complain with dozens of negative comments.
[16:30:30] <flaccid> singpolyma unfortunately you missed all that
[16:30:56] <singpolyma> flaccid: sorry, I'm not trying to get into an argument. I realize I came in near the end of your discussion
[16:31:25] <flaccid> oh i thought it ended but when i came back it had started all over again..
[16:33:06] <flaccid> technically with the example/server you could enable it to bind against an array of username/password name value pairs. although not great, it can be done in a few lines of code and about 10mins of ones time.
[16:34:27] * benblack_ (n=bb@207.105.81.105) has joined #openid
[16:40:00] <flaccid> Joran i did just realise an option for you however. the latest/recent version of the xrds-simple plugin made by singpolyma and will norris has an openid provider based on those libs.
[16:40:48] <singpolyma> flaccid: well, the xrds-simple and wp-openid plugins together
[16:40:58] <singpolyma> will let you run an OpenID server for users on a WordPress install
[16:41:21] <singpolyma> Is that what Joran wants? His own OP with multiple users?
[16:41:35] <singpolyma> Yeah, the standard solution (PHPmyID) is single user
[16:41:49] <flaccid> yep sorry forgot to mention that. i was nagging will the other day via email and he assisted me heh i needed to upgrade the wp-openid plugin for it all to work/have the options available
[16:42:09] <flaccid> yes and old, modified libs, badly maintained etc.
[16:42:17] <flaccid> you guys didn't modify the libs at all ?
[16:43:52] <singpolyma> Not that I know of
[16:44:04] <singpolyma> Pretty sure any patches have been mainlined
[16:44:19] <flaccid> only feedback i have on that is maybe a bit more doco on that plugin page and perhaps boasting about the OP component
[16:44:25] <flaccid> cool
[16:55:45] <flaccid> singpolyma texting mixi.jp as RP for jonny and its failing on yadis $m = $disco->getManager();
[16:56:18] <singpolyma> does mixi generally work well as an RP?
[16:59:39] * xpo (n=xpo@bearstech/xpo) Quit (Read error: 104 (Connection reset by peer))
[17:00:46] * xpo_air (n=xpo@ip67-155-196-3.z196-155-67.customer.algx.net) has joined #openid
[17:02:22] * voidstar_ (n=bb@207.105.81.105) has joined #openid
[17:06:06] * benblack (n=bb@207.105.81.105) Quit (verne.freenode.net irc.freenode.net)
[17:07:46] <flaccid> singpolyma not really. but seems the example consumer works but both me and jonny's example consumer doesn't. mine is darcs checkout only, nothing touched and it works with every other RP i can think of to test with
[17:08:08] <singpolyma> you mean example server
[17:08:09] <flaccid> its failing in discovery with getManager, i'm thinking that it could be the characters being fetched in html discovery
[17:08:29] <flaccid> mixi.jp is only a provider as far as i can see
[17:09:21] <singpolyma> So your example consumer checkouts are failing with your example servers?
[17:09:52] * ponchopilate (n=markthom@host81-137-232-55.in-addr.btopenworld.com) Quit ()
[17:11:11] <flaccid> no example/consumer fails with mixi.jp only
[17:11:44] <flaccid> something in getManager it seems (so far)
[17:14:28] * benblack_ (n=bb@207.105.81.105) Quit (Read error: 60 (Operation timed out))
[17:15:00] <singpolyma> but miki.jp works with other RPs just fine?
[17:15:01] <singpolyma> interesting
[17:15:57] <flaccid> i think it might be $manager_str = $this->session->get($this->getSessionKey());
[17:17:10] <flaccid> i think it could be a logical error
[17:20:19] <flaccid> could also be as simple as open_basedir not set. that would make sense
[17:21:12] <singpolyma> Do your local RPs work with other OPs?
[17:21:29] <flaccid> hmm nah its not set on mine which means its not confined and it does write to /tmp
[17:21:54] <flaccid> yes. this is the example/consumer untouched and works with every other op i can test with
[17:23:05] <singpolyma> maybe mixi.jp does not support openid2
[17:23:07] <flaccid> thing is $manager_str = $this->session->get($this->getSessionKey()); returns the data from my last successful auth (dif identity) even after session is cleared
[17:23:09] * mosites (n=mosites@static-98-112-71-211.lsanca.dsl-w.verizon.net) has joined #openid
[17:23:33] <flaccid> i read it was only openid 2.0
[17:24:07] <singpolyma> hmm, scratch that theory then
[17:25:43] <flaccid> xrds seems set up right on their end
[17:25:49] * voidstar_ (n=bb@207.105.81.105) Quit (Read error: 110 (Connection timed out))
[17:28:08] <flaccid> looks like its in the session method
[17:41:10] * singpolyma (n=singpoly@c-76-21-5-96.hsd1.ca.comcast.net) Quit ("Lost terminal")
[17:49:19] * xpo_air (n=xpo@ip67-155-196-3.z196-155-67.customer.algx.net) Quit ()
[17:52:00] * ertai (n=ertai@lns-bzn-40-82-251-136-1.adsl.proxad.net) has joined #openid
[18:00:01] * singpolyma (n=singpoly@64.210.105.2) has joined #openid
[18:01:02] <flaccid> wb
[18:05:48] * jochen_ (n=jochen@4.69-245-81.adsl-dyn.isp.belgacom.be) has joined #openid
[18:17:57] * MrTopf (n=cs@p5B395E59.dip.t-dialin.net) Quit ()
[18:19:16] * TedThibodeauJr (n=Thud@66.30.249.84) has joined #openid
[18:28:27] * MacTed (n=Thud@66.30.249.84) Quit (Read error: 110 (Connection timed out))
[18:28:42] * singpoly1a (n=singpoly@64.210.105.2) has joined #openid
[18:37:29] * singpolyma (n=singpoly@64.210.105.2) Quit (Read error: 110 (Connection timed out))
[18:38:27] * Joran (n=martyn@78-105-117-5.zone3.bethere.co.uk) Quit (Read error: 104 (Connection reset by peer))
[18:38:56] * TedThibodeauJr is now known as MacTed
[19:00:34] <flaccid> hmm its the xrds document that the rp does not like for mixi.jp
[19:00:37] <flaccid> but i can't figure out why
[19:02:05] <singpoly1a> flaccid: do you just use mixi.jp and directed identity, or what is your identity uri?
[19:03:33] <flaccid> i don't have one there, but i am pretty sure i just confirmed 1 of my original guesses
[19:03:38] <flaccid> so yeah mixi.jp
[19:03:49] <flaccid> it is because xrds http header they use is https
[19:04:07] <flaccid> when i wget, i get ERROR: Certificate verification error for mixi.jp: unable to get local issuer certificate
[19:04:29] <flaccid> and asks me to To connect to mixi.jp insecurely, use `--no-check-certificate'.
[19:05:08] <flaccid> copy http://mixi.jp local and put the xrds location in the header, same issue with https, no problems on http
[19:05:16] <flaccid> so this must be the paranoid xrds fetcher
[19:05:35] <singpoly1a> curl -i https://mixi.jp/xrds_server.pl works on my system with no errors
[19:05:39] <singpoly1a> I think your TLS is messed up
[19:06:11] <singpoly1a> wget also works for me on that URL
[19:07:37] <flaccid> true. i only get that message on 1 server of mine. i don't get it on the client i have in web browser
[19:08:11] <flaccid> doesn't explain why it works without http then and why jonny has the same issue
[19:09:05] <flaccid> actually its on the same server so yeah that makes sense
[19:09:21] <flaccid> apache/php would be using same openssl
[19:09:55] <singpoly1a> yes
[19:10:28] <flaccid> ok so me and jonny have screwed up tls on our servers
[19:10:48] <flaccid> weird for me, i run freebsd and everything else tls works fine
[19:11:35] <flaccid> ok so when he comes back in i'll ask him to try curl and wget on the server i set the example up on and see if it has issues like me
[19:12:22] <flaccid> i=he
[19:13:56] <flaccid> its COMODO CA so its a normal kind of issuer
[19:15:06] <flaccid> ok so one more test to verify this, i'll try myopenid w/ tls, if it works then heh obviously that has to be it
[19:16:12] <flaccid> lol i mean if it doesn't work
[19:16:33] <flaccid> true the rp example doesn't like it. no see if wget does the same thing
[19:17:50] * xpo (n=xpo@bearstech/xpo) has joined #openid
[19:19:19] <flaccid> well example RP rejected both https://myopenid.com/ and http://flaccid.myopenid.com/ but work in sheel
[19:19:27] <flaccid> shell. so im not so sure heh
[19:19:43] <flaccid> oops
[19:19:49] <flaccid> i mean https://flaccid..
[19:20:55] <flaccid> ok so will just assume that the local tls is the problem. that will do just fine heh
[19:24:53] <flaccid> seems like this https://bugs.launchpad.net/ubuntu/+source/wget/+bug/74315
[19:28:58] <flaccid> on that note do you think there is any reason to do https on yadis profiles ?
[19:30:03] * MacTed (n=Thud@66.30.249.84) Quit ()
[19:31:29] * xpo (n=xpo@bearstech/xpo) Quit ()
[19:31:43] <flaccid> hey singpoly1a boom! it has to be this for me http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2007-February/114083.html and for jonny likely missing the ca-certificates package if its ubuntu/debian..
[19:38:32] <flaccid> also seems like the sec team have gotten rid of supporting anything in the ca root area
[19:41:44] * singpolyma (n=singpoly@64.210.105.2) has joined #openid
[19:44:31] <flaccid> wb
[19:44:38] <flaccid> did you miss all my blabber ?
[19:57:48] * singpoly1a (n=singpoly@64.210.105.2) Quit (Read error: 110 (Connection timed out))
[20:12:19] * singpolyma readis over stuff
[20:12:27] <singpolyma> glad you found the issue :)\
[20:12:43] <singpolyma> As I've said before, if you don't discover over TLS, your securty model is screwed
[20:12:54] <singpolyma> until the signing stuff from the XRD work comes out
[20:16:42] <flaccid> yeah unfortunately its a question of who to trust and that in freebsd and other OS/distros, they don't trust anyone by default
[20:18:37] <flaccid> this OS supports x,y,z ca roots, this other only suports a,b,c and this one trusts no one
[20:21:11] <singpolyma> yeah :)
[20:21:26] <singpolyma> you can import the root certs yourself from CAs you care about
[20:21:36] <singpolyma> you may need root for that, though
[20:22:57] <flaccid> yeah but that still goes back to the question of 'who should you trust'
[20:23:10] <singpolyma> sure, of course it does :)
[20:23:25] <flaccid> which has lead me to believe that as an RP or OP or even anything, you need to put a page up of the CA roots you support
[20:23:28] <singpolyma> I trust arbitrary CA X more than I trust completely clear DNS ;)
[20:23:38] <flaccid> to a normal user, that just confuses them more
[20:23:38] <singpolyma> It wouldn't hurt, for sure
[20:23:59] <singpolyma> Well, normal users will use OPs with a cert from the big 4 I would think
[20:24:13] <singpolyma> hopefully the signing stuff in XRD has some best practises about CAs to support
[20:24:21] <singpolyma> will or eran would know more about that
[20:25:23] <flaccid> true
[20:26:26] <flaccid> but for people trying to do an RP and testing on a https OP they aint going to know about this which is i guess what we established
[20:26:52] <flaccid> i didn't even realise https or think about it it properly til later
[20:26:54] <singpolyma> yeah
[20:27:05] <flaccid> i saw that problem but didn't think much of it
[20:27:09] <singpolyma> well, the example RP really should give better error messages
[20:27:13] <flaccid> coz it was working elsewhere
[20:27:27] <flaccid> yeah a bit more logic
[20:27:37] <flaccid> i had to dig real deep to even get to that
[20:29:22] <flaccid> oh and i have not got a browser yet that accepts my new startssl cert
[20:29:48] <singpolyma> where are you using it?
[20:29:57] <flaccid> on my web server
[20:30:08] <flaccid> tried all environments i could
[20:30:09] <singpolyma> no, I mean URL, I'd like to see if my browser likes it ok :)
[20:30:24] <flaccid> https://xhost.com.au/
[20:30:58] <flaccid> seems to be trusted you need probably money and a big commercial entity
[20:31:28] <flaccid> in essence in some browser this cert is more 'rejected' than a self-signed one
[20:31:35] <singpolyma> my browser trusts that cert
[20:31:40] <flaccid> OS ?
[20:31:44] <singpolyma> Ubuntu Jaunty
[20:31:53] <flaccid> eek
[20:32:05] <flaccid> i've tested freebsd, windows, mac os x
[20:32:07] <singpolyma> firefox 3.0
[20:32:13] <flaccid> yes
[20:32:20] <flaccid> and all the other ones he says
[20:32:35] <singpolyma> my curl does not accept your cert
[20:32:43] <singpolyma> nor my wget
[20:33:07] <flaccid> which suggests its a consipiracy
[20:33:11] <singpolyma> something odd
[20:33:12] <flaccid> ubuntu+firefox
[20:33:24] <flaccid> i don't use that heh
[20:33:49] <singpolyma> http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers
[20:34:02] <singpolyma> says firefox3 accepts startcom free
[20:34:15] <singpolyma> verification level 1
[20:34:43] <flaccid> its not true
[20:34:58] <flaccid> trust roots are usually not a browser thing but rather OS level
[20:36:59] <singpolyma> I'm pretty sure in Firefox they're separate from the OS level (certainly are on my system, as just demonstrated)
[20:37:26] <flaccid> atm im on windows
[20:37:31] <singpolyma> http://www.startssl.com/?app=0 shows "supported by" and firefox, flock, safari logos
[20:37:32] <flaccid> that is actually most important
[20:37:37] <singpolyma> I would write support
[20:37:49] <flaccid> yeah i noticed that. i tested safari too on all 3 platforms, no go
[20:38:13] <flaccid> actually safari on windows i think works
[20:38:22] <singpolyma> I would write the startcom support and see what's up
[20:38:31] <flaccid> yeah i might do that
[20:39:09] <flaccid> seems ironic that the only one that may of worked is from apple on a windows platform :=
[20:40:28] <singpolyma> indeed
[20:41:00] <flaccid> i appreciate your time and info, it is a bit more of an insight to reality here...
[20:41:08] <singpolyma> :)
[20:41:24] <flaccid> that being said, if you were to spend dollars on a cert, heh what is the 'most supported' ?
[20:41:36] <flaccid> go spend a 1000 bux or some crap on verisign ?
[20:41:38] <singpolyma> well, depends what you want to spend
[20:41:48] <flaccid> lets not worry about the spend
[20:41:52] <singpolyma> godaddy is cheap and well-supported (even IE)
[20:41:57] <flaccid> but rather the client-side support
[20:42:02] <singpolyma> verisign is what you really want if you have the money
[20:42:08] <flaccid> godaddy is a CA ?
[20:42:14] <singpolyma> verisign, highest verification level, with EV :)
[20:42:16] <singpolyma> yes
[20:42:28] * flaccid goes to look
[20:42:58] <flaccid> godaddy does look cheap
[20:43:02] <singpolyma> yeah
[20:43:21] <flaccid> i assume the middle options i uac
[20:43:49] <flaccid> ucc i mean
[20:44:07] <singpolyma> dunno. If I were to pay more than lowest-level godaddy I'd probably go with highest-level godaddy
[20:44:16] <singpolyma> after that, equifax or verisign
[20:45:15] <flaccid> hmm
[20:45:38] <flaccid> maybe Multiple Domain (UCC) Just $89.99/yr would be suited for us
[20:46:24] <flaccid> seems like just a commercial thing in the end. once you get on the 'ca list' see what you can charge
[20:46:45] <flaccid> the actual encryption layer is the same its just the verified ca
[20:47:20] <singpolyma> yeah. I don't usually care much about encryption anyway
[20:47:30] <singpolyma> It's signing/verification that's really interesting
[20:47:56] <flaccid> yeah. but only problem i got is 1 public IP limitation
[20:48:12] <flaccid> in that case i say screw the clients until we make money
[20:48:36] <flaccid> thats going to be for some time because we are not taking on new clients until we finish r&d which could be about 1 year atm
[20:48:59] * Orango (n=s-e@wikimedia/Orango) has joined #openid
[20:49:05] <singpolyma> yeah :)
[20:54:17] <flaccid> Opera doesn't support startssl heh thats what i use..
[20:55:39] <flaccid> meh startssl can't design a website its bad. how do i contact them ?
[20:55:42] <singpolyma> So submit a patch ;) wait... you can't. Yeah, screw Opera
[20:56:13] <singpolyma> http://www.startssl.com/?app=27
[20:56:20] <flaccid> as i demonstrated before patches can be rejected just as easily on open source..
[20:57:10] <singpolyma> no. they can be rejected more easily, because they can exist at all :)
[20:58:57] <flaccid> im not sure if i understand
[20:59:33] <singpolyma> Proprietary software companies can't reject your patches, because you can't create them in the first place.
[20:59:53] <flaccid> thats true
[21:00:11] <flaccid> and sometimes you go to such effort in open source to only be rejected by some tool that has power
[21:00:16] <flaccid> that for me is more unrewarding
[21:00:45] <flaccid> in this case, its not a patch. its security policy.
[21:02:15] <singpolyma> No one has the power. Not really. You can run and distribute a version with your patch. People do it all the time
[21:02:38] <singpolyma> It's obviously more rewarding when your patch gets "accepted", but that's not exactly the point
[21:03:04] <flaccid> but who feels like they have achieved anything by forcing to fork
[21:03:20] <flaccid> i don't like that, it defeats the purpose
[21:03:34] <flaccid> all this behaviour makes the software, um, patchy
[21:04:01] <singpolyma> And what, in your mind, is "the purpose" that is being defeated by running a forked version?
[21:05:43] <flaccid> i got better things to do
[21:05:47] <flaccid> im also a socialist
[21:05:53] <flaccid> eddy replied fast "At the moment the StartCom CA root is supported by Apple and Mozilla software. Microsoft will start support in September this year. There might be others which we don't know about."
[21:06:02] <flaccid> i told him about how i couldnt get any firefox to go
[21:22:51] * remitaylor (n=remi@ip98-165-225-119.ph.ph.cox.net) has joined #openid
[21:24:57] * daleolds (n=daleolds@c-76-27-115-77.hsd1.ut.comcast.net) Quit ("Leaving.")
[21:25:17] * daleolds (n=daleolds@c-76-27-115-77.hsd1.ut.comcast.net) has joined #openid
[21:39:31] * Orango (n=s-e@wikimedia/Orango) Quit ("Leaving")
[22:27:08] * qwp0 (n=qwp0@gw.localnet.sk) Quit (Read error: 110 (Connection timed out))
[22:39:28] * daedeloth (n=daedelot@ip-81-11-173-163.dsl.scarlet.be) Quit (Remote closed the connection)
[22:58:33] * MrTopf (n=cs@p5B3D73FC.dip.t-dialin.net) has joined #openid
[23:15:06] * MrTopf (n=cs@p5B3D73FC.dip.t-dialin.net) Quit ()
[23:15:17] * xpo (n=xpo@bearstech/xpo) has joined #openid
[23:23:01] * jochen_ (n=jochen@4.69-245-81.adsl-dyn.isp.belgacom.be) Quit (Remote closed the connection)
[23:40:26] * remitaylor (n=remi@ip98-165-225-119.ph.ph.cox.net) Quit ("Leaving.")
[23:46:57] * daleolds (n=daleolds@c-76-27-115-77.hsd1.ut.comcast.net) has left #openid

These logs were automatically created by OpenIDlogbot on chat.freenode.net using a modified version of the Java IRC LogBot.