Logistical updates for accountchooser.com, .net, and the workinggroup site

Showing 1-7 of 7 messages
Logistical updates for accountchooser.com, .net, and the workinggroup site Eric Sachs 5/22/12 8:10 PM
Many of you are on the thread below where we are working with Inventures which provides many backoffice/IT services to the OpenIDFoundation.  With their help the accountchooser.NET marketing site is now online (but still has some small edits we need to make).  In addition the accountchooser.COM site is hopefully only a day or two from being available with a live version of the central account chooser.  Because of these changes, the wiki page for the AC workinggroup has been updated to try to route techies to different sources of information they might find helpful based on their interests.

Once it is live, it will also directly host a copy of the accountchooser.js file needed by websites that way to integrate with accountchooser.com using the simple 3-step process.  While some of the early code for that JS file contained legacy references to GoogleIdentityToolkit, we are eliminating those.  So if you find any, let us know.  We'll also update the http://code.google.com/p/accountchooser/ repository to post all the HTML & JS used on the site.



Forwarded conversation
Subject: OIDF changes for accountchooser.com & accountchooser.net
------------------------

From: Eric Sachs <esa...@google.com>
Date: Wed, May 16, 2012 at 6:27 PM
To: Tammi Vital <tvi...@inventures.com>, John Keith <jtk...@cloudfour.com>
Cc: John Ehrig <jeh...@inventures.com>, Don Thibeau <d...@oidf.org>, Pam Dingle <pdi...@pingidentity.com>, Greg Keegstra <gr...@janrain.com>, Victor White <vic...@gigya-inc.com>, Aileen Jeffries <ail...@cloudfour.com>, Guibin Kong <guibi...@google.com>, Sebastian Welsh <sebas...@google.com>


Tammi, we are finally ready to start making some of the changes we discussed in the past for the OpenIDFoundation accountchooser domains, and wanted to get your help.

We have been working with a firm called Cloudfour to build a marketing website that will be hosted at accountchooser.NET.  The staging version of the site is live right now at acdev.cloudfour.com.  John Keith from CloudFour, copied here, will be working to setup the live site and can provide you with the DNS details to use.  Our goal is to get the live site up as soon as possible, though we won't formally announce it for a few more weeks.

You and I had also had some phone calls about the configuration for accountchooser.com including its SSL cert.  We are now ready to take the first steps to actually update the .COM site.  Could you do 2 things?

First, we will send you an SSL CSR.  Can you then use the domain registrar system that you have chosen for accountchooser.com to have that SSL cert signed?  If the registrar supports different options, like length of time, let us know and we'll figure out the best configuration.  Once its done we'll also want to make sure Inventures bills the OIDF for the cost, and that it comes out of the marketing committee directed funding.  For the SSL certs, what Local & State value should we use in the CSR?  I noticed the openid.net cert has state=Oregon & locale=Portland.  But the OIDF's billing address these days is in San Ramon, CA.  Do you know whether the registrar will require a specific value to be used?

Also, we need to update the DNS settings of accountchooser.COM and www.accountchooser.COM to point to the new place hosting the updated static HTML files.  For now you can just configure the DNS to point to:
ns1.google.comns2.google.comns3.google.com and ns4.google.com
Later other companies might offer to host a copy of these files for free as well, and then we can change the DNS settings and get them a copy of the SSL cert.  You can go ahead and make this change anytime.  It will cause the accountchooser.COM site to temporarily give errors if someone visits it, but that is fine.  We'll get the new stuff up in non-SSL mode first, and then SSL as soon as the cert is done.


-- 
Eric Sachs | Senior Product Manager | esa...@google.com 


----------
From: John Keith <jtk...@cloudfour.com>
Date: Thu, May 17, 2012 at 9:45 AM
To: Tammi Vital <tvi...@inventures.com>
Cc: Eric Sachs <esa...@google.com>, Aileen Jeffries <ail...@cloudfour.com>


Hi Tammi,

Please point accountchooser.net and www.accountchooser.net to IP address 205.186.142.117

As of yesterday, we've pushed an initial copy of the site live at that IP address, so we're ready to test once the DNS has been updated.

Best regards,
John Keith
--
John Keith
jtk...@cloudfour.com | skype:jtkeith
503.781.9825





----------
From: Tammi Vital <tvi...@inventures.com>
Date: Thu, May 17, 2012 at 9:51 AM
To: John Keith <jtk...@cloudfour.com>
Cc: Eric Sachs <esa...@google.com>, Aileen Jeffries <ail...@cloudfour.com>


I have made the DNS change. It can take up to 24 hours to fully propagate.

 

Thanks,

Tammi

 

From: John Keith [mailto:jtk...@cloudfour.com
Sent: Thursday, May 17, 2012 9:45 AM
To: Tammi Vital
Cc: Eric Sachs; Aileen Jeffries
Subject: Re: OIDF changes for accountchooser.com & accountchooser.net


----------
From: Tammi Vital <tvi...@inventures.com>
Date: Thu, May 17, 2012 at 12:05 PM
To: Eric Sachs <esa...@google.com>, John Keith <jtk...@cloudfour.com>
Cc: John Ehrig <jeh...@inventures.com>, Don Thibeau <d...@oidf.org>, Pam Dingle <pdi...@pingidentity.com>, Greg Keegstra <gr...@janrain.com>, Victor White <vic...@gigya-inc.com>, Aileen Jeffries <ail...@cloudfour.com>, Guibin Kong <guibi...@google.com>, Sebastian Welsh <sebas...@google.com>


Eric,

 

Regarding the SSL cert. Please use state=California & locale=San Ramon. It will make the process easier. The cert for openid.net was created before the domain was transferred over to us.

 

When the CSR is sent to me, I will also need to know what platform the server is running on and how many bits the CSR is encrypted for. 2048 is pretty standard these days.

 

I usually prefer to purchase SSL certs from Thawte because they are the easiest to work with. They are not the cheapest but they have a good product and their support is excellent. Here is a link to their product site. http://www.thawte.com/ssl/index.html. I also use Comodo sometimes. Whichever one you want to go with is fine with me.

 

I have changed the nameservers for accountchooser.com to point to the Google nameservers. There is no need to do it for www.accountchooser.com as it is just an alias. It will need to created when the rest of the DNS is setup by Google.

 

Let me know if you have any questions,

Tammi

 

From: Eric Sachs [mailto:esa...@google.com
Sent: Wednesday, May 16, 2012 6:28 PM
To: Tammi Vital; John Keith
Cc: John Ehrig; Don Thibeau; Pam Dingle; Greg Keegstra; Victor White; Aileen Jeffries; Guibin Kong; Sebastian Welsh
Subject: OIDF changes for accountchooser.com & accountchooser.net


----------
From: Eric Sachs <esa...@google.com>
Date: Fri, May 18, 2012 at 10:23 AM
To: Tammi Vital <tvi...@inventures.com>
Cc: John Keith <jtk...@cloudfour.com>, John Ehrig <jeh...@inventures.com>, Don Thibeau <d...@oidf.org>, Pam Dingle <pdi...@pingidentity.com>, Greg Keegstra <gr...@janrain.com>, Victor White <vic...@gigya-inc.com>, Aileen Jeffries <ail...@cloudfour.com>, Guibin Kong <guibi...@google.com>, Sebastian Welsh <sebas...@google.com>


Tammi, for the SSL cert lets go with Thawte for the 2-year "SSL Web Server Certificates with EV" cert.  Attached is the CSR which is 2048 bits for Linux platform.

----------
From: Tammi Vital <tvi...@inventures.com>
Date: Fri, May 18, 2012 at 2:28 PM
To: Eric Sachs <esa...@google.com>, Don Thibeau <d...@oidf.org>
Cc: John Keith <jtk...@cloudfour.com>, John Ehrig <jeh...@inventures.com>, Pam Dingle <pdi...@pingidentity.com>, Greg Keegstra <gr...@janrain.com>, Victor White <vic...@gigya-inc.com>, Aileen Jeffries <ail...@cloudfour.com>, Guibin Kong <guibi...@google.com>, Sebastian Welsh <sebas...@google.com>


Don,

 

I just spoke with John about this and because of the amount we need your approval. The total cost is $995. Do I have your approval to incur it on behalf of OIDF?

 

Thank You,

Tammi

 

From: Eric Sachs [mailto:esa...@google.com
Sent: Friday, May 18, 2012 10:24 AM
To: Tammi Vital
Cc: John Keith; John Ehrig; Don Thibeau; Pam Dingle; Greg Keegstra; Victor White; Aileen Jeffries; Guibin Kong; Sebastian Welsh
Subject: Re: OIDF changes for accountchooser.com & accountchooser.net


----------
From: Don Thibeau <d...@oidf.org>
Date: Fri, May 18, 2012 at 6:04 PM
To: Tammi Vital <tvi...@inventures.com>
Cc: Eric Sachs <esa...@google.com>, John Keith <jtk...@cloudfour.com>, John Ehrig <jeh...@inventures.com>, Pam Dingle <pdi...@pingidentity.com>, Greg Keegstra <gr...@janrain.com>, Victor White <vic...@gigya-inc.com>, Aileen Jeffries <ail...@cloudfour.com>, Guibin Kong <guibi...@google.com>, Sebastian Welsh <sebas...@google.com>


yes please proceed

First, we will send you an SSL CSR.  Can you then use the domain registrar system that you have chosen for accountchooser.com to have that SSL cert signed?  If the registrar supports different options, like length of time, let us know and we'll figure out the best configuration.  Once its done we'll also want to make sure Inventures bills the OIDF for the cost, and that it comes out of the marketing committee directed funding.  For the SSL certs, what Local & State value should we use in the CSR?  I noticed the openid.netcert has state=Oregon & locale=Portland.  But the OIDF's billing address these days is in San Ramon, CA.  Do you know whether the registrar will require a specific value to be used?
 
Also, we need to update the DNS settings of accountchooser.COM and www.accountchooser.COM to point to the new place hosting the updated static HTML files.  For now you can just configure the DNS to point to:
Later other companies might offer to host a copy of these files for free as well, and then we can change the DNS settings and get them a copy of the SSL cert.  You can go ahead and make this change anytime.  It will cause the accountchooser.COM site to temporarily give errors if someone visits it, but that is fine.  We'll get the new stuff up in non-SSL mode first, and then SSL as soon as the cert is done.
 
 
--
Eric Sachs | Senior Product Manager | esa...@google.com 
 


 
--
Eric Sachs | Senior Product Manager | esa...@google.com 
 



----------
From: Eric Sachs <esa...@google.com>
Date: Tue, May 22, 2012 at 9:42 AM
To: Don Thibeau <d...@oidf.org>
Cc: Tammi Vital <tvi...@inventures.com>, John Keith <jtk...@cloudfour.com>, John Ehrig <jeh...@inventures.com>, Pam Dingle <pdi...@pingidentity.com>, Greg Keegstra <gr...@janrain.com>, Victor White <vic...@gigya-inc.com>, Aileen Jeffries <ail...@cloudfour.com>, Guibin Kong <guibi...@google.com>, Sebastian Welsh <sebas...@google.com>


Tammi, will you have time to finish the SSL cert this week?

The other DNS changes you made are working so accountchooser.NET is now online, and all the content for accountchooser.COM is ready and as soon as we have the cert we can turn it on.

----------
From: Tammi Vital <tvi...@inventures.com>
Date: Tue, May 22, 2012 at 9:43 AM
To: Eric Sachs <esa...@google.com>, Don Thibeau <d...@oidf.org>
Cc: John Keith <jtk...@cloudfour.com>, John Ehrig <jeh...@inventures.com>, Pam Dingle <pdi...@pingidentity.com>, Greg Keegstra <gr...@janrain.com>, Victor White <vic...@gigya-inc.com>, Aileen Jeffries <ail...@cloudfour.com>, Guibin Kong <guibi...@google.com>, Sebastian Welsh <sebas...@google.com>


By the end of the week should not be a problem. I am already working on it.

 

Tammi

 

From: Eric Sachs [mailto:esa...@google.com
Sent: Tuesday, May 22, 2012 9:42 AM
To: Don Thibeau
Cc: Tammi Vital; John Keith; John Ehrig; Pam Dingle; Greg Keegstra; Victor White; Aileen Jeffries; Guibin Kong; Sebastian Welsh


----------
From: Eric Sachs <esa...@google.com>
Date: Tue, May 22, 2012 at 9:44 AM
To: Tammi Vital <tvi...@inventures.com>
Cc: Don Thibeau <d...@oidf.org>, John Keith <jtk...@cloudfour.com>, John Ehrig <jeh...@inventures.com>, Pam Dingle <pdi...@pingidentity.com>, Greg Keegstra <gr...@janrain.com>, Victor White <vic...@gigya-inc.com>, Aileen Jeffries <ail...@cloudfour.com>, Guibin Kong <guibi...@google.com>, Sebastian Welsh <sebas...@google.com>


Fantastic, thanks!

----------
From: Tammi Vital <tvi...@inventures.com>
Date: Tue, May 22, 2012 at 10:42 AM
To: Eric Sachs <esa...@google.com>


What version of Linux is the server running?

 

From: Eric Sachs [mailto:esa...@google.com

Sent: Tuesday, May 22, 2012 9:42 AM
To: Don Thibeau
Cc: Tammi Vital; John Keith; John Ehrig; Pam Dingle; Greg Keegstra; Victor White; Aileen Jeffries; Guibin Kong; Sebastian Welsh


----------
From: Eric Sachs <esa...@google.com>
Date: Tue, May 22, 2012 at 10:48 AM
To: Tammi Vital <tvi...@inventures.com>


Our Linux kernels are customized.  Our operations team asked me what the list of options are that you can choose.  Our ops team said they can then suggest which one should work.

----------
From: Tammi Vital <tvi...@inventures.com>
Date: Tue, May 22, 2012 at 11:31 AM
To: Eric Sachs <esa...@google.com>


Eric,

 

Please see attached for the server choices. The list is rather extensive so I’m sure the can find something…

 

Thanks,

Tammi

 

From: Eric Sachs [mailto:esa...@google.com
Sent: Tuesday, May 22, 2012 10:49 AM
To: Tammi Vital


----------
From: Eric Sachs <esa...@google.com>
Date: Tue, May 22, 2012 at 11:36 AM
To: Tammi Vital <tvi...@inventures.com>, Sebastian Welsh <sebas...@google.com>


Sebastian, the OpenIDFoundation is working on that SSL for us (Tammi in particular is doing the work).  Attached is a long list of Linux platforms that are options for the SSL certificate.  Which one would you suggest that we use?

----------
From: Sebastian Welsh <sebas...@google.com>
Date: Tue, May 22, 2012 at 7:50 PM
To: Eric Sachs <esa...@google.com>
Cc: Tammi Vital <tvi...@inventures.com>




On Wed, May 23, 2012 at 4:36 AM, Eric Sachs <esa...@google.com> wrote:
Sebastian, the OpenIDFoundation is working on that SSL for us (Tammi in particular is doing the work).  Attached is a long list of Linux platforms that are options for the SSL certificate.  Which one would you suggest that we use?

It is a rather long list.

Specifying ApacheSSL should be fine. If we need to finesse the certificate once it has been issued we can do that.





-- 
Eric Sachs | Senior Product Manager | esa...@google.com 

Re: Logistical updates for accountchooser.com, .net, and the workinggroup site Eric Sachs 5/23/12 12:16 PM
>> the accountchooser.COM site is hopefully only a day or two from being available with a live version of the central account chooser.

We're getting closer.  The non-SSL version of accountchooser.com is running now.  You can use the testing tool site to start playing with it.  Inventures is making good progress on the SSL cert which is the next big piece.
--
...
Re: Logistical updates for accountchooser.com, .net, and the workinggroup site Eric Sachs 6/1/12 9:05 AM
Unfortunately we are continuing to run into problems with getting the SSL cert for accountchooser.com working.  Inventures is looking into it, but we don't have an ETA yet.

However we have published the static html/js files to the non-SSL version of accountchooser.com and they are working.  The other tasks being worked on are:
  • Updating the accountchooser.COM Learn More page to use the look&feel of accountchooser.NET with the help of CloudFour
  • Performance tweaks
  • Removing any legacy references to Google from function/variable names.  Also moving the demo apps to new DNS names that don't have the "git" prefix
  • Once those 3 are done, push the files to the open source repository


On Fri, May 25, 2012 at 2:21 PM, Tammi Vital <tvi...@inventures.com> wrote:

I’m looking into this…

 

Tammi

 

From: Sebastian Welsh [mailto:sebas...@google.com
Sent: Thursday, May 24, 2012 7:38 PM
To: Eric Sachs
Cc: Tammi Vital; guibi...@google.com


Subject: Re: OIDF changes for accountchooser.com & accountchooser.net

 

I just want to check on something.

 

The CSR I provided included a SAN. However, that SAN has dropped off the certificate that was issued. As it stands, this certificate will only be valid for accountchooser.com. Connections to www.accountchooser.com will fail.

 

To view the contents of the request: openssl req -in accountchooser.com.csr -noout -text

It contains the following:

            X509v3 Subject Alternative Name: 

                DNS:accountchooser.com, DNS:www.accountchooser.com

 

However, the certificate issued by Thawte does not include these SANs.

 

To extract the certificates:  openssl pkcs7 -print_certs -in AccountChooserCert.txt -out accountchooser_chained.pem

To view the accountchooser certificate (it's the first cert in accountchooser_chained.pem): openssl x509 -in accountchooser_chained.pem -text 

 

Seb

 

On Fri, May 25, 2012 at 9:01 AM, Eric Sachs <esa...@google.com> wrote:

Awesome!  Thanks so much Tammi.  I can't think of anything else right now that we need your help with.



>> Please let me know if you need anything else.

Make sure to submit the bill to the OIDF :-)

 

On Thu, May 24, 2012 at 4:00 PM, Tammi Vital <tvi...@inventures.com> wrote:

Eric,

 

The cert has been approved. I’ve sent it in a separate email to Sebastian.

 

Please let me know if you need anything else.

 

Tammi

 

From: Eric Sachs [mailto:esa...@google.com
Sent: Thursday, May 24, 2012 3:05 PM


To: Tammi Vital
Cc: Sebastian Welsh; guibi...@google.com


Subject: Re: OIDF changes for accountchooser.com & accountchooser.net

 

We are definitely NOT doing ecommerce :-)

 

So lets go with regular cert

On Thu, May 24, 2012 at 3:04 PM, Tammi Vital <tvi...@inventures.com> wrote:

A regular cert is fine in my opinion as long as you are not doing something like credit card transactions .

 

Tammi

From: Eric Sachs [mailto:esa...@google.com
Sent: Thursday, May 24, 2012 2:58 PM
To: Tammi Vital
Cc: Sebastian Welsh; guibi...@google.com


Subject: Re: OIDF changes for accountchooser.com & accountchooser.net

 

I honestly don't know much about the difference.  Sebastian has more expertise then I do.  So since he is fine with the regular cert, lets go ahead and cancel the EV and get the regular one.

 

 



 

--

Eric Sachs | Senior Product Manager | esa...@google.com 

 



 

--

Eric Sachs | Senior Product Manager | esa...@google.com 

 

 




-- 
Eric Sachs | Senior Product Manager | esa...@google.com 

RE: Logistical updates for accountchooser.com, .net, and the workinggroup site Axel Nennker 6/1/12 10:57 AM

Hm. When I visit http://accountchooser.com/ then I am redirected to http://www.accountchooser.com/ which show a nearly empty page.

At the top is a centered grayish line which is about 3 pixels thick.

 

I tried this in the DT intranet (windows, Firefox 12 & IE9), from a personal device without any proxies (ubuntu Firefox 12) and Android Firefox Nightly. The result is the same. The html code of that page is attached to this email.

 

Axel

 

From: oidf-account...@googlegroups.com [mailto:oidf-account-chooser-list@googlegroups.com] On Behalf Of Eric Sachs
Sent: Friday, June 01, 2012 6:05 PM
To: oidf-account-chooser-list
Subject: Re: Logistical updates for accountchooser.com, .net, and the workinggroup site

Re: Logistical updates for accountchooser.com, .net, and the workinggroup site Eric Sachs 6/1/12 11:01 AM
We want to leave it that way until we can fix the SSL issue and learnmore page.  Otherwise sites/people might mistakenly think they could use the non-SSL version.
RE: Logistical updates for accountchooser.com, .net, and the workinggroup site Axel Nennker 6/1/12 12:32 PM

Wouldn’t it make sense to create a self-signed certificate until the real one is ready?

People would have to accept that cert once and could try accountchooser.com.

 

Currently it looks broken.

 

From: oidf-account...@googlegroups.com [mailto:oidf-account-chooser-list@googlegroups.com] On Behalf Of Eric Sachs
Sent: Friday, June 01, 2012 8:02 PM
To: oidf-account...@googlegroups.com

Re: Logistical updates for accountchooser.com, .net, and the workinggroup site Eric Sachs 6/1/12 12:37 PM
>> Wouldn’t it make sense to create a self-signed certificate until the real one is ready?

The Google operations team who is responsible for this super-fast content serving system are real sticklers about process/security.  Based on our testing, the performance advantages (especially outside US/Eastern-Europe) are really worth the benefit of the extra hassle.