[security] MyOpenID
Granqvist, Hans
hgranqvist at verisign.com
Wed Mar 21 13:20:31 PDT 2007
If it's a protocol issue there are several providers that
can be hurt, so pls exercise restraint in disclosing before
other providers apart from MyOpenID have a chance to act!
Best would be some timeline to get concerned implementations
chance to contact you and ask if their provider is vulnerable
(like I did in a separate email) and then give some time for
these parties to patch?
Thanks,
Hans
> -----Original Message-----
> From: security-bounces at openid.net
> [mailto:security-bounces at openid.net] On Behalf Of gaz_sec at hushmail.com
> Sent: Wednesday, March 21, 2007 12:15 PM
> To: security at openid.net
> Subject: Re: [security] MyOpenID
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> No in my opinion the provider is following the correct
> implementation of OpenID so I think it is a problem with
> OpenID itself. It can be easily solved but provides
> inconvenience to the user of the OpenID service. I shall
> email the flaw once the provider has got back to me with a fix.
>
> On Wed, 21 Mar 2007 18:55:21 +0000 "Paul C. Bryan"
> <email at pbryan.net> wrote:
> >On Wed, 2007-03-21 at 18:51 +0000, gaz_sec at hushmail.com wrote:
> >
> >> I do have a working example that works in 1 browser at the
> >moment but
> >> I can't send it because it is currently being fixed by MyOpenID.
> >When
> >> I find out it has been fixed I shall send the example to the
> >list.
> >
> >Presumably, then, this second case is a bug in a provider
> >implementation, not the protocol.
> >
> >Paul
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at
> https://www.hushtools.com/verify
> Version: Hush 2.5
>
> wpwEAQECAAYFAkYBg/QACgkQrR8fg3y/m1DD2AP/RK99u+piuJIZSeagnKa52/GOHfQz
> 8gpMXEbYyqdoEBXaTFZOf70PdlKXvHmTfQHj3r4RPu/kfL7PCne8pxYMUYKMqzZvNr1i
> kysiLUxvpwqpSfL8+DUPVUaR7UcHNTgiZxUB3ODAEg8Id3Pv3balBKqq6QDd20PObzgx
> oeObZs4=
> =dOvu
> -----END PGP SIGNATURE-----
>
> --
> Click for home mortgage, fast & free, no lender fee, approval
> today http://tagline.hushmail.com/fc/CAaCXv1QbtYaYul5oRPJFR00oaubsEo0/
>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
More information about the security
mailing list