[OpenID] OpenID Security Issues

Breno de Medeiros breno at google.com
Mon Nov 16 17:48:31 UTC 2009 

Mike Hanson took the notes and shared them with Jeff Hodges and
myself. I thought he had also sent them to the IIW note repository,
but if he did not, here is a public accessible copy:

http://docs.google.com/View?id=dg5g3zns_133c4ddn7hr

On Sat, Nov 14, 2009 at 7:14 PM, Ashish Jain <email at ashishjain.com> wrote:
> Allen,
> Here is a link to some more description around the issues:
> https://sites.google.com/site/openidreview/issues
>
> Here is a link to the resources/papers that we mentioned:
> https://sites.google.com/site/openidreview/resources
>
> I haven't been able to find notes from Breno's IIW session. Here is a link
> to the whiteboard picture: http://www.flickr.com/photos/_nat/4075945912/
>
> Thanks,
> -Ashish
>
>
>
> On Fri, Nov 13, 2009 at 7:22 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>>
>> Hi All,
>>
>> There were several security discussions last week at the OpenID Summit and
>> IIW, and it's about time that we follow up on them:
>>
>> For those of you who weren't able to attend last week, some of the presos
>> are here:
>> http://wiki.openid.net/OpenIDSummit2009
>>
>> And I started a wiki here:
>> http://wiki.openid.net/SecurityIssues
>>
>> A new issue (at least to me) is the Session Swapping issue reported by
>> Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A potential solution
>>  is to have the RP do something similar to a checkid_immediate request after
>> receiving an assertion. This would allow the RP and OP to confirm that the
>> assertion was actually issued by the OP to the user that's trying to
>> authenticate at the RP, at the cost of another round trip.
>>
>> Another issue that's always discussed is Phishing. While I don't think we
>> will completely solve the phishing problem in the near future, there are
>> things that we can do now to help protect users from phishing. The client
>> side OpenID selectors that were demoed last week can potentially improve
>> both usability and security for users who have them installed.
>>
>> Some applications have issues with OpenID assertions being transmitted
>> unencrypted via the user's browser. I believe that the Artifact Binding WG
>> will try to address this issue.
>>
>> Anything else? It looks like there's consensus that Single Sign Out should
>> be deferred for the time being.
>>
>> Allen
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the general mailing list