[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

Peter Williams pwilliams at rapattoni.com
Mon Jan 5 18:17:17 UTC 2009 

Slowly getting there! Between denial and word spin, openid evidently has some  "full disclosure" culture yet to be adopted.

First denial that compromise of a vital security policy rule has occurred (or could even occur) .

Second, denial a cert was minted based on one analogously cutting a signature from the bottom of one bit of paper, and tacking it onto a new bit of paper, publishing the apparent forgery as if the parts were attached by the named signer.

Third denial that an ee ocsp responder is relevant, perhaps for openid discover too?

Now we are at: only focus on, peter, the impact (of the two things that didn't happen) and ignore something microsoft folk recommended, as it that has no relevance.

Perhaps microsoft didn't recommend enterpise customers deploying an ee ocsp responder (in light of the information they apparently received)? Perhaps the very issue of ee ocsp was not part of the attackers own story?

So to openid.  How do we handle things in openid if the op compromises its store of private associations? The effect is more severe than if a given rp does the same thing. Does the recovering op purge all name federations at some or all sp entities? Does it need to send a letter to each subscriber?

The attackers apparently gave impact assessment notice to browser makers. But they didnt bother to give it to the 26000 openid rp sites capable of doing openid1 https openid discovery. If there was no impact, why apparently pre-inform the browser vendors (and allegedly list 2 of them on the presentation slides)?

But at least the role of op entities is getting highlighted by all this, since its an assertion maker. Or is it, under uci? Perhaps an op (unlike a shib idp) is but a user #agent#?

-----Original Message-----
From: Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org>
Sent: Monday, January 05, 2009 5:05 AM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: Eric Norman <ejnorman at doit.wisc.edu>; OpenID List <general at openid.net>
Subject: Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

On 01/05/2009 11:09 AM, Peter Williams:



> -----Original Message-----

> From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net] On

> Behalf Of Eric Norman

> Sent: Sunday, January 04, 2009 11:43 PM



> As Eddy (and lots of others) said, there are almost certainly

> no certificates in the field that have been forged with this

> attack.



Eddy, did you really say that? ”almost certainly no certificates…?”



If you know of a URL that disproves this, perhaps send it to Eric. I’d expect most people in the CA business to know it. Even the folks at cacert.org know it…



Can you show me a case where certificates where successfully used and created damage to any relying parties? To all of my knowledge this is not the case for this or that reason.

Regards

Signer:         Eddy Nigg, StartCom Ltd.<http://www.startcom.org>
Jabber:         startcom at startcom.org<xmpp:startcom at startcom.org>
Blog:   Join the Revolution!<http://blog.startcom.org>
Phone:  +1.213.341.0390

More information about the general mailing list