Ok, how about this:<blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">A relying party MUST key an association using its OP Endpoint and association handle together for both storage and lookup.</blockquote>
<div>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Sun, Mar 8, 2009 at 9:55 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size:11.0pt;color:#1F497D">If it is critical that some security enforcing function is done it
must be stated [in open standards communities (*)].</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">Furthermore the means by which one would detect violation of the
control must be normalized (so different libraries don’t use different tests
to induce the error state). If there is an error state, the standard should
normalize what is done, with the usual conformance rules (SHOULD, MUST, etc).</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">What we don’t want is the that RP website designer has to
do any of this ; it has to be addressing by the library/protocol engine delivering
a complete set of security enforcing functions. The only thing an app designers
has to do is then profile the identifier syntax and the trust model (just like
in https). We don’t want “special security engineering skills”
to be required, merely to addon websso to a website.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">--</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">(*) In some ISO-security/telematic standards produced in the late
1980s, many of the contributing global telco companies would withhold 10% of
the scheme from standardization in favor of “implementation knowhow”,
so standards acted as a barrier to entry. Typically, submarine patents would be
being placed - addressing the 10% “effectiveness” areas - to
control the competitive phased of the market. It will be interesting to see
what the culture is in OpenID too, where one sees such dominance of the
movement these days by mega-large companies, who are assuredly patenting away
as we speak – given the way the Foundation is setup about patent issues.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] <b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Sunday, March 08, 2009 10:39 AM<br>
<b>To:</b> OpenID List<div class="im"><br>
<b>Subject:</b> Re: [OpenID] Association poisoning</div></span></p>
</div>
</div>
<p> </p>
<p>Martin,</p><div><div></div><div class="h5">
<div>
<p> </p>
</div>
<div>
<p>Yes, that about sums it up. Since thinking of this
potential problem I couldn't find anywhere in the OpenID 2.0 spec that calls
out the caution. If it isn't there, perhaps 2.1 can add it. </p>
</div>
<div>
<p> </p>
</div>
<div>
<p style="margin-bottom:12.0pt">As stated in my blog post, I
only checked Janrain's ruby library and dotnetopenid. I haven't checked
any other RPs. I hope that anyone that owns an RP implementation will
check for this.<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
</p>
<div>
<p>On Sun, Mar 8, 2009 at 9:20 AM, Martin Atkins <<a href="mailto:mart@degeneration.co.uk" target="_blank">mart@degeneration.co.uk</a>> wrote:</p>
<div>
<p>Andrew Arnott wrote:</p>
<p>If you write an OpenID relying party library or custom
implementation, you<br>
might want to review a post I just wrote on a potential security hole I've<br>
never heard anyone else talk about:<br>
<br>
<a href="http://blog.nerdbank.net/2009/03/openid-association-poisoning.html" target="_blank">http://blog.nerdbank.net/2009/03/openid-association-poisoning.html</a></p>
<p> </p>
</div>
<p>So, just to be clear, the flaw here is employing a simple
assoc_handle to assoc secret mapping without considering which OP belongs to
the assoc_handle?<br>
<br>
That is a pretty serious problem. Have you found any RP implementations that
*are* vulnerable?<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a></p>
</div>
<p> </p>
</div>
</div></div></div>
</div>
</div>
</blockquote></div><br></div>