[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Jan 5 04:23:50 UTC 2009
On 01/05/2009 06:16 AM, Peter Williams:
> Eric
>
> Are you comfortable with the truth of the following wording:
>
> "This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate."
>
> Ae you telling me that no exploitation of that attack method actually occurred, as expressed above?
>
> That is: noone "generate(d) additional digital certificates with different content that have the same digital signature as an original certificate."
>
> If so I hereby apologise.
I think that the real life exploit hasn't happened yet and no real
damage occurred. I think there is a difference if a research group or
security specialist finds an exploit than a vulnerability is actually
exploited.
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090105/12774645/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090105/12774645/attachment-0002.bin>
More information about the general
mailing list