[OpenID] OpenID 2.0 spec security improvement suggestion

Andrew Arnott andrewarnott at gmail.com
Wed Mar 11 19:44:43 UTC 2009 

Thanks, Breno.  I think your rewording is good.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Wed, Mar 11, 2009 at 11:33 AM, Breno de Medeiros <breno at google.com>wrote:

>
>
> On Wed, Mar 11, 2009 at 11:17 AM, Andrew Arnott <andrewarnott at gmail.com>wrote:
>
>> In OpenID 2.0 section 11.1, we see the following requirement regarding
>> verifying the openid.return_to parameter:
>>
>> Any query parameters that are present in the "openid.return_to" URL MUST
>> also be present with the same values in the URL of the HTTP request the RP
>> received.
>>
>>
>> But consider this incoming RP message: (I didn't bother properly URL
>> encoding it since that would just make it harder to read)
>>
>> http://rp/authenticate?a=b&a=c&openid.return_to=http%3a%2f%2frp%2fauthenticate%3fa%3db&openid.*(other openid parameters)
>>
>> In the above GET request, the openid.return_to value has a decoded value
>> of http://rp/authenticate?a=b.  You can see that the incoming request
>> matches the requirements as they all keys exist with the same values.
>>  However, some keys (specifically 'a' in this example) show up multiple
>> times, and have different values.  Depending on the library, this could have
>> adverse security or undesirable altering affects.
>>
>> I wonder if we should enhance the 2.1 spec to say that the same keys must
>> not appear more than they do in the return_to URL.
>>
>
> What if they appear a fewer number of times?
>
> The correct language is that the set of parameter assignments "a=b", where
> 'a' is the key and 'b' is the value, that appear in the HTTP request the RP
> received, and that are not OpenID parameters, should be identical to the set
> of assignments present in the query part of the return_to URL in the
> authentication response.
>
>
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death
>> your right to say it." - Voltaire
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090311/f350603c/attachment-0002.htm>

More information about the general mailing list