Once upon a time, Toshio Kuratomi <a.badger(a)gmail.com> said:
Note -- I made the same decision but I found out from puiterwijk that
that
should be raising an error in the relying party (the website asking that you
auth with fedora's openid). The reason? We don't have SSL certificates for
all possible [
username].id.fedoraproject.org domains.
https://[username].id.fp.o uses a wildcard SSL cert for *.fp.o, but in
SSL wildcard matching, a "*" does not match a ".". This means that
id.fp.o is matched with *.fp.o, but [username].id.fp.o is not.
There would have to be an SSL cert for *.id.fp.o, which would mean DNS
for *.id.fp.o couldn't CNAME to wildcard.fp.o, or the wildcard.fp.o
server and all SSL-using clients trying to access *.id.fp.o would have
to support TLS SNI.
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.