Martin,<div><br></div><div>Yes, that about sums it up. Since thinking of this potential problem I couldn't find anywhere in the OpenID 2.0 spec that calls out the caution. If it isn't there, perhaps 2.1 can add it. </div>
<div><br></div><div>As stated in my blog post, I only checked Janrain's ruby library and dotnetopenid. I haven't checked any other RPs. I hope that anyone that owns an RP implementation will check for this.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Sun, Mar 8, 2009 at 9:20 AM, Martin Atkins <span dir="ltr"><<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">Andrew Arnott wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If you write an OpenID relying party library or custom implementation, you<br>
might want to review a post I just wrote on a potential security hole I've<br>
never heard anyone else talk about:<br>
<br>
<a href="http://blog.nerdbank.net/2009/03/openid-association-poisoning.html" target="_blank">http://blog.nerdbank.net/2009/03/openid-association-poisoning.html</a><br>
</blockquote>
<br></div>
So, just to be clear, the flaw here is employing a simple assoc_handle to assoc secret mapping without considering which OP belongs to the assoc_handle?<br>
<br>
That is a pretty serious problem. Have you found any RP implementations that *are* vulnerable?<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</blockquote></div><br></div>