[OpenID] OpenID Security Issues

Chris Messina chris.messina at gmail.com
Tue Nov 17 01:15:16 UTC 2009 

No problem.

I understand how that goes — but if there's any way that we could make the
wiki the preferred "interim" solution, I'd love to know!

I could see how Google Sites would be easier, but maybe there's something we
can do to make using the wiki easier?

On Mon, Nov 16, 2009 at 5:14 PM, Ashish Jain <email at ashishjain.com> wrote:

> It was created as an interim measure.
> +1 to moving the contents/links to the main wiki.
> -Ashish
>
>
> On Mon, Nov 16, 2009 at 6:07 PM, Chris Messina <chris.messina at gmail.com>wrote:
>
>> Can we try to keep all this documentation on the actual OpenID wiki?
>>
>> Is there a reason that this OpenID Review Google Site was created?
>>
>> I just want to 1) keep things in a convenient, central place and 2) have a
>> standard means to report these issues.
>>
>> Also, using a non-openid.net domain seems, well, kind of like a missed
>> opportunity.
>>
>> Chris
>>
>>
>> On Mon, Nov 16, 2009 at 9:48 AM, Breno de Medeiros <breno at google.com>wrote:
>>
>>> Mike Hanson took the notes and shared them with Jeff Hodges and
>>> myself. I thought he had also sent them to the IIW note repository,
>>> but if he did not, here is a public accessible copy:
>>>
>>> http://docs.google.com/View?id=dg5g3zns_133c4ddn7hr
>>>
>>> On Sat, Nov 14, 2009 at 7:14 PM, Ashish Jain <email at ashishjain.com>
>>> wrote:
>>> > Allen,
>>> > Here is a link to some more description around the issues:
>>> > https://sites.google.com/site/openidreview/issues
>>> >
>>> > Here is a link to the resources/papers that we mentioned:
>>> > https://sites.google.com/site/openidreview/resources
>>> >
>>> > I haven't been able to find notes from Breno's IIW session. Here is a
>>> link
>>> > to the whiteboard picture:
>>> http://www.flickr.com/photos/_nat/4075945912/
>>> >
>>> > Thanks,
>>> > -Ashish
>>> >
>>> >
>>> >
>>> > On Fri, Nov 13, 2009 at 7:22 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>>> >>
>>> >> Hi All,
>>> >>
>>> >> There were several security discussions last week at the OpenID Summit
>>> and
>>> >> IIW, and it's about time that we follow up on them:
>>> >>
>>> >> For those of you who weren't able to attend last week, some of the
>>> presos
>>> >> are here:
>>> >> http://wiki.openid.net/OpenIDSummit2009
>>> >>
>>> >> And I started a wiki here:
>>> >> http://wiki.openid.net/SecurityIssues
>>> >>
>>> >> A new issue (at least to me) is the Session Swapping issue reported by
>>> >> Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A potential
>>> solution
>>> >>  is to have the RP do something similar to a checkid_immediate request
>>> after
>>> >> receiving an assertion. This would allow the RP and OP to confirm that
>>> the
>>> >> assertion was actually issued by the OP to the user that's trying to
>>> >> authenticate at the RP, at the cost of another round trip.
>>> >>
>>> >> Another issue that's always discussed is Phishing. While I don't think
>>> we
>>> >> will completely solve the phishing problem in the near future, there
>>> are
>>> >> things that we can do now to help protect users from phishing. The
>>> client
>>> >> side OpenID selectors that were demoed last week can potentially
>>> improve
>>> >> both usability and security for users who have them installed.
>>> >>
>>> >> Some applications have issues with OpenID assertions being transmitted
>>> >> unencrypted via the user's browser. I believe that the Artifact
>>> Binding WG
>>> >> will try to address this issue.
>>> >>
>>> >> Anything else? It looks like there's consensus that Single Sign Out
>>> should
>>> >> be deferred for the time being.
>>> >>
>>> >> Allen
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> general mailing list
>>> >> general at lists.openid.net
>>> >> http://lists.openid.net/mailman/listinfo/openid-general
>>> >
>>> >
>>> > _______________________________________________
>>> > general mailing list
>>> > general at lists.openid.net
>>> > http://lists.openid.net/mailman/listinfo/openid-general
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> --Breno
>>>
>>> +1 (650) 214-1007 desk
>>> +1 (408) 212-0135 (Grand Central)
>>> MTV-41-3 : 383-A
>>> PST (GMT-8) / PDT(GMT-7)
>>> _______________________________________________
>>> general mailing list
>>> general at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>>
>>
>>
>> --
>> Chris Messina
>> Open Web Advocate
>>
>> Personal: http://factoryjoe.com
>> Follow me on Twitter: http://twitter.com/chrismessina
>>
>> Citizen Agency: http://citizenagency.com
>> Diso Project: http://diso-project.org
>> OpenID Foundation: http://openid.net
>>
>> This email is:   [ ] shareable    [X] ask first   [ ] private
>>
>
>


-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091116/204ebfff/attachment-0001.htm>

More information about the general mailing list