Once upon a time, Toshio Kuratomi <a.badger@xxxxxxxxx> said: > Note -- I made the same decision but I found out from puiterwijk that that > should be raising an error in the relying party (the website asking that you > auth with fedora's openid). The reason? We don't have SSL certificates for > all possible [username].id.fedoraproject.org domains. https://[username].id.fp.o uses a wildcard SSL cert for *.fp.o, but in SSL wildcard matching, a "*" does not match a ".". This means that id.fp.o is matched with *.fp.o, but [username].id.fp.o is not. There would have to be an SSL cert for *.id.fp.o, which would mean DNS for *.id.fp.o couldn't CNAME to wildcard.fp.o, or the wildcard.fp.o server and all SSL-using clients trying to access *.id.fp.o would have to support TLS SNI. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
