[security] MyOpenID

gaz_sec at hushmail.com gaz_sec at hushmail.com
Wed Mar 21 13:35:40 PDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have no problem with that either, I am currently investigating
other browsers.
If anyone has an OpenID service that they wish me to have a quick
look at then please contact me.

On Wed, 21 Mar 2007 20:25:24 +0000 Scott Kveton <scott at janrain.com>
wrote:
>> If it's a protocol issue there are several providers that
>> can be hurt, so pls exercise restraint in disclosing before
>> other providers apart from MyOpenID have a chance to act!
>
>That's a great point Hans, we'll exercise restraint as well if
>that's the
>case.
>
>> Best would be some timeline to get concerned implementations
>> chance to contact you and ask if their provider is vulnerable
>> (like I did in a separate email) and then give some time for
>> these parties to patch?
>
>Excellent idea.  This seems like a great wiki topic "How to report
>a
>security vulnerability".
>
>- Scott
>
>
>
>
>>> -----Original Message-----
>>> From: security-bounces at openid.net
>>> [mailto:security-bounces at openid.net] On Behalf Of
>gaz_sec at hushmail.com
>>> Sent: Wednesday, March 21, 2007 12:15 PM
>>> To: security at openid.net
>>> Subject: Re: [security] MyOpenID
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> No in my opinion the provider is following the correct
>>> implementation of OpenID so I think it is a problem with
>>> OpenID itself. It can be easily solved but provides
>>> inconvenience to the user of the OpenID service. I shall
>>> email the flaw once the provider has got back to me with a fix.
>>>
>>> On Wed, 21 Mar 2007 18:55:21 +0000 "Paul C. Bryan"
>>> <email at pbryan.net> wrote:
>>>> On Wed, 2007-03-21 at 18:51 +0000, gaz_sec at hushmail.com wrote:
>>>>
>>>>> I do have a working example that works in 1 browser at the
>>>> moment but
>>>>> I can't send it because it is currently being fixed by
>MyOpenID.
>>>> When
>>>>> I find out it has been fixed I shall send the example to the
>>>> list.
>>>>
>>>> Presumably, then, this second case is a bug in a provider
>>>> implementation, not the protocol.
>>>>
>>>> Paul
>>> -----BEGIN PGP SIGNATURE-----
>>> Note: This signature can be verified at
>>> https://www.hushtools.com/verify
>>> Version: Hush 2.5
>>>
>>>
>wpwEAQECAAYFAkYBg/QACgkQrR8fg3y/m1DD2AP/RK99u+piuJIZSeagnKa52/GOHfQ
>z
>>>
>8gpMXEbYyqdoEBXaTFZOf70PdlKXvHmTfQHj3r4RPu/kfL7PCne8pxYMUYKMqzZvNr1
>i
>>>
>kysiLUxvpwqpSfL8+DUPVUaR7UcHNTgiZxUB3ODAEg8Id3Pv3balBKqq6QDd20PObzg
>x
>>> oeObZs4=
>>> =dOvu
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> Click for home mortgage, fast & free, no lender fee, approval
>>> today
>http://tagline.hushmail.com/fc/CAaCXv1QbtYaYul5oRPJFR00oaubsEo0/
>>>
>>>
>>> _______________________________________________
>>> security mailing list
>>> security at openid.net
>>> http://openid.net/mailman/listinfo/security
>>>
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>>
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkYBlvcACgkQrR8fg3y/m1AkFQP+OTaPmRWd04oX8iZ+O1pRrqoA7+2/
nJtn5C9OftCI3aNh5QtSvX0rT5lYrgo9jvgMR0RaNq39utfPnSMNApVhQdQUcFIeJiXP
XjkZ2oCkkenRttVySjV2iOUz27R13ji96V+JQiU78t4HwAPvaFZeCM/lvo/8ZnbPw6kt
y7VNXiM=
=ptoz
-----END PGP SIGNATURE-----

--
Click for free info on college degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1JDieUs9Wzh8zh5ZypUnTilxXX/




More information about the security mailing list