[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Eric Norman
ejnorman at doit.wisc.edu
Mon Jan 5 07:42:55 UTC 2009
On Jan 4, 2009, at 10:16 PM, Peter Williams wrote:
>
>
> Eric
>
> Are you comfortable with the truth of the following wording:
>
> "This attack method could allow an attacker to generate additional
> digital certificates with different content that have the same digital
> signature as an original certificate."
I'm comfortable with that.
> Ae you telling me that no exploitation of that attack method actually
> occurred, as expressed above?
>
> That is: noone "generate(d) additional digital certificates with
> different content that have the same digital signature as an original
> certificate".
As Eddy (and lots of others) said, there are almost certainly
no certificates in the field that have been forged with this
attack. And none are likely to be created in the future.
Eric Norman
More information about the general
mailing list