I noticed a separate problem with the Drupal RP on one test site. That had nothing to do with .Net.
The period in the claimed ID was breaking something in Drupal's account management. Unfortunately it was a senior GSA person who's account triggered it. On the upside if that hadn't happened a regular user probably would have just given up and moved on, not allowing us to discover the issue. The problem is that only a very small number of Yahoo accounts trigger this, so there may be issues with RP's that remain undetected. We should probably build a test for it on test-id.org but it also suffers with the same IIS issues so that may not be easily done. I don't think this is news to Microsoft. I have known about similar IIS existing for a long time. I hope they could do something but I won't hold my breath on that. The lesson from this is that people including base64 encoded information in URI for new implementations should use the RFC version of base64 and save themselves some trouble. I know of one RP running Cold fusion that solved the problem with Yahoo by turning off all Yahoo openID. I hope we can find workarounds for affected RPs for Yahoo's sake because I don't think there is an option for them to change at this point. John B. On 2010-03-27, at 5:52 PM, Peter Watkins wrote: > John Bradley wrote: > >> It is a problem that may exist in more than one RP, so we should test for >> it. RP with issues will have to decide what they do about those problem >> Yahoo accounts. >> I am not saying Yahoo has done anything wrong, but we have an interop issue >> non the less. >> I don't think there is anything you can do at this point. > > I think it's sad that nobody thinks we could convince Microsoft to change the > behavior of .Net. As it stands, System.Uri in .Net is mangling URLs on the > *client* side, apparently to help protect *servers* that might still be > vulnerable to a flaw like > http://www.microsoft.com/technet/security/bulletin/fq00-019.mspx > which, by the way, turns 10 years old this week. > > Anybody from the .Net team at MSFT want to chime in? > > ISTM at the very least MSFT should release official patches (even if they're > hotfixes that must be manually obtained) for .Net 2.0 and 3.5 (lots of us > still run primarily 2.0) to provide something like a DoNotSimplifyPath > property for a UriBuilder object so that code like Andrew's would be able to > work reliably. > > -Peter > _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
