[OpenID] Association poisoning
Martin Atkins
mart at degeneration.co.uk
Sun Mar 8 20:17:49 UTC 2009
Andrew Arnott wrote:
> Martin,
> Yes, that about sums it up. Since thinking of this potential problem I
> couldn't find anywhere in the OpenID 2.0 spec that calls out the caution.
> If it isn't there, perhaps 2.1 can add it.
>
> As stated in my blog post, I only checked Janrain's ruby library and
> dotnetopenid. I haven't checked any other RPs. I hope that anyone that
> owns an RP implementation will check for this.
I checked the Perl Net::OpenID::Consumer implementation and confirmed
that it doesn't suffer from this flaw.
More information about the general
mailing list