SREG 1.1 Draft 1

James Henstridge james at jamesh.id.au
Thu Jan 3 12:30:08 UTC 2008


On 03/01/2008, Eran Hammer-Lahav <eran at hueniverse.com> wrote:
>
>
>
>
>
>
> Section 4 requires any sreg field to be signed and listed in openid.signed.
>
>
>
> Since the list of fields now includes openid.ns.sreg, does that has to be
> signed as well? The way it is written the answer is yes, but I would assume
> that is not the intention.

I think it is good practice to sign the namespace identifiers in the response.

If the response includes signed openid.sreg.* values but does not sign
openid.ns.sreg, a man in the middle could change the namespace URI and
effectively strip the data from the response while maintaining the
signature.

If two extensions were similar enough, an attacker could change the
meaning of a message rather than just remove information.

James.



More information about the specs mailing list