New Fedora openid provider (fas-openid) in service

[Chris Adams]

Once upon a time, Toshio Kuratomi <a.badger at gmail.com> said:
> Note -- I made the same decision but I found out from puiterwijk that that
> should be raising an error in the relying party (the website asking that you
> auth with fedora's openid).  The reason?  We don't have SSL certificates for
> all possible [username].id.fedoraproject.org domains.

https://[username].id.fp.o uses a wildcard SSL cert for *.fp.o, but in
SSL wildcard matching, a "*" does not match a ".".  This means that
id.fp.o is matched with *.fp.o, but [username].id.fp.o is not.

There would have to be an SSL cert for *.id.fp.o, which would mean DNS
for *.id.fp.o couldn't CNAME to wildcard.fp.o, or the wildcard.fp.o
server and all SSL-using clients trying to access *.id.fp.o would have
to support TLS SNI.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.