CILogon OpenID Improvements

Post date: Mar 31, 2011 8:37:29 PM

In response to input we've received from early adopters of the CILogon Service (, we've made some changes to how the CILogon OpenID CA issues certificates based on OpenID (Google, Verisign, or Yahoo) authentication.

Now rather than including the user's OpenID Identifier (often a long, unwieldy URL) in the certificate subject, the CILogon OpenID CA will instead put the user's name (as provided by the OpenID provider) in the certificate subject. The CILogon OpenID CA will also now include the user's email address (as provided by the OpenID provider) in the certificate subject alternative name field. This change provides greater consistency between CILogon CA behavior across InCommon and OpenID. We believe this change will make CILogon certificates easier to work with (for example, shorter certificate subject names are easier to register with relying parties) and more useful (for example, including email addresses in certificates supports email signing/encryption and provides relying parties with contact information for users).

Thanks to those who have provided suggestions for improving the CILogon Service. Please keep sending suggestions to