[OpenID] OpenID Security Issues

Ashish Jain email at ashishjain.com
Tue Nov 17 01:48:18 UTC 2009 

It's a probably a natural evolution process.
Have an idea,capture it in a notepad. Looking to get feedback from a
selected few, throw it on a individually controlled Google site. Once you
have some consensus, move it to a central wiki.


On Mon, Nov 16, 2009 at 6:15 PM, Chris Messina <chris.messina at gmail.com>wrote:

> No problem.
>
> I understand how that goes — but if there's any way that we could make the
> wiki the preferred "interim" solution, I'd love to know!
>
> I could see how Google Sites would be easier, but maybe there's something
> we can do to make using the wiki easier?
>
>
> On Mon, Nov 16, 2009 at 5:14 PM, Ashish Jain <email at ashishjain.com> wrote:
>
>> It was created as an interim measure.
>> +1 to moving the contents/links to the main wiki.
>> -Ashish
>>
>>
>> On Mon, Nov 16, 2009 at 6:07 PM, Chris Messina <chris.messina at gmail.com>wrote:
>>
>>> Can we try to keep all this documentation on the actual OpenID wiki?
>>>
>>> Is there a reason that this OpenID Review Google Site was created?
>>>
>>> I just want to 1) keep things in a convenient, central place and 2) have
>>> a standard means to report these issues.
>>>
>>> Also, using a non-openid.net domain seems, well, kind of like a missed
>>> opportunity.
>>>
>>> Chris
>>>
>>>
>>> On Mon, Nov 16, 2009 at 9:48 AM, Breno de Medeiros <breno at google.com>wrote:
>>>
>>>> Mike Hanson took the notes and shared them with Jeff Hodges and
>>>> myself. I thought he had also sent them to the IIW note repository,
>>>> but if he did not, here is a public accessible copy:
>>>>
>>>> http://docs.google.com/View?id=dg5g3zns_133c4ddn7hr
>>>>
>>>> On Sat, Nov 14, 2009 at 7:14 PM, Ashish Jain <email at ashishjain.com>
>>>> wrote:
>>>> > Allen,
>>>> > Here is a link to some more description around the issues:
>>>> > https://sites.google.com/site/openidreview/issues
>>>> >
>>>> > Here is a link to the resources/papers that we mentioned:
>>>> > https://sites.google.com/site/openidreview/resources
>>>> >
>>>> > I haven't been able to find notes from Breno's IIW session. Here is a
>>>> link
>>>> > to the whiteboard picture:
>>>> http://www.flickr.com/photos/_nat/4075945912/
>>>> >
>>>> > Thanks,
>>>> > -Ashish
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Nov 13, 2009 at 7:22 PM, Allen Tom <atom at yahoo-inc.com>
>>>> wrote:
>>>> >>
>>>> >> Hi All,
>>>> >>
>>>> >> There were several security discussions last week at the OpenID
>>>> Summit and
>>>> >> IIW, and it's about time that we follow up on them:
>>>> >>
>>>> >> For those of you who weren't able to attend last week, some of the
>>>> presos
>>>> >> are here:
>>>> >> http://wiki.openid.net/OpenIDSummit2009
>>>> >>
>>>> >> And I started a wiki here:
>>>> >> http://wiki.openid.net/SecurityIssues
>>>> >>
>>>> >> A new issue (at least to me) is the Session Swapping issue reported
>>>> by
>>>> >> Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A potential
>>>> solution
>>>> >>  is to have the RP do something similar to a checkid_immediate
>>>> request after
>>>> >> receiving an assertion. This would allow the RP and OP to confirm
>>>> that the
>>>> >> assertion was actually issued by the OP to the user that's trying to
>>>> >> authenticate at the RP, at the cost of another round trip.
>>>> >>
>>>> >> Another issue that's always discussed is Phishing. While I don't
>>>> think we
>>>> >> will completely solve the phishing problem in the near future, there
>>>> are
>>>> >> things that we can do now to help protect users from phishing. The
>>>> client
>>>> >> side OpenID selectors that were demoed last week can potentially
>>>> improve
>>>> >> both usability and security for users who have them installed.
>>>> >>
>>>> >> Some applications have issues with OpenID assertions being
>>>> transmitted
>>>> >> unencrypted via the user's browser. I believe that the Artifact
>>>> Binding WG
>>>> >> will try to address this issue.
>>>> >>
>>>> >> Anything else? It looks like there's consensus that Single Sign Out
>>>> should
>>>> >> be deferred for the time being.
>>>> >>
>>>> >> Allen
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> _______________________________________________
>>>> >> general mailing list
>>>> >> general at lists.openid.net
>>>> >> http://lists.openid.net/mailman/listinfo/openid-general
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > general mailing list
>>>> > general at lists.openid.net
>>>> > http://lists.openid.net/mailman/listinfo/openid-general
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> --Breno
>>>>
>>>> +1 (650) 214-1007 desk
>>>> +1 (408) 212-0135 (Grand Central)
>>>> MTV-41-3 : 383-A
>>>> PST (GMT-8) / PDT(GMT-7)
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>>
>>>
>>>
>>>
>>> --
>>> Chris Messina
>>> Open Web Advocate
>>>
>>> Personal: http://factoryjoe.com
>>> Follow me on Twitter: http://twitter.com/chrismessina
>>>
>>> Citizen Agency: http://citizenagency.com
>>> Diso Project: http://diso-project.org
>>> OpenID Foundation: http://openid.net
>>>
>>> This email is:   [ ] shareable    [X] ask first   [ ] private
>>>
>>
>>
>
>
> --
> Chris Messina
> Open Web Advocate
>
> Personal: http://factoryjoe.com
> Follow me on Twitter: http://twitter.com/chrismessina
>
> Citizen Agency: http://citizenagency.com
> Diso Project: http://diso-project.org
> OpenID Foundation: http://openid.net
>
> This email is:   [ ] shareable    [X] ask first   [ ] private
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091116/d5833ded/attachment.htm>

More information about the general mailing list