web server - outgoing connections?

Hello,

I am new to openid, so forgive me if this will sound obvious. Let's say
I have a web site and I want to support openid, so users of my site will
be able login using their openid url. The trouble I see here is that my
web server will have to connect to random IPs on the internet as a part
of authentication process*, am I right? Is there an authentication mode,
where client's browser does all the outgoing communication?

* why this is a problem:
- I don't want my web server to be used in ddos attacks
- companies that are serious about security usually deny unrestricted
outgoing connections from servers, so it's also a deployment issue

Thanks,
Egon

_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

If a "backchannel" xrds source sends back a 401, seeking back channel authentication, is it a) conforming to do so b) conforming to respond?

If the xrds source seeks to upgrade an established tcp connection to https (using http 1.1 signals), is it conforming to ask/respond?


________________________________
From: Andrew Arnott <andrewarnott@...>
Sent: Wednesday, July 23, 2008 12:56 PM
To: Egon Kocjan <egon@...>
Cc: general@... <general@...>
Subject: Re: [OpenID] web server - outgoing connections?

RPs are required to make outgoing HTTP connections, and should use a 'paranoid http library' to mitigate the issue you speak of.

On Wed, Jul 23, 2008 at 10:33 AM, Egon Kocjan <egon@...<mailto:egon@...>> wrote:
Hello,

I am new to openid, so forgive me if this will sound obvious. Let's say
I have a web site and I want to support openid, so users of my site will
be able login using their openid url. The trouble I see here is that my
web server will have to connect to random IPs on the internet as a part
of authentication process*, am I right? Is there an authentication mode,
where client's browser does all the outgoing communication?

* why this is a problem:
- I don't want my web server to be used in ddos attacks
- companies that are serious about security usually deny unrestricted
outgoing connections from servers, so it's also a deployment issue

Thanks,
Egon

_______________________________________________
general mailing list
general@...<mailto:general@...>
http://openid.net/mailman/listinfo/general

_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

Can anyone poin tme to an OP that supports AX or Pape (only anti
phishing needed)?

myopenid.com lists both AX and Pape (anti phishing) as supported type
uris in discovered OpenID xrds but doesn't seem to actually fulfill
either of them?

Thanks,

=James.Tindall
_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

You can try with OpenID Provider, available with WSO2 Identity Solution.

This supports both PAPE and AX.

This is free and open source, available to download from here[1].

We have hosted it at https://is.test.wso2.org for interop testing.

Thanks & regards.
- Prabath

[1]: http://wso2.org/projects/solutions/identity

On Fri, Jul 25, 2008 at 7:33 PM, James Tindall <james@...> wrote: _______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general