<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Yeah, I've been volunteered to write a Security Best Practices document
(which presumably will be a living doc) for OpenID 2.1:<br>
<br>
(see the very bottom of the doc)<br>
<a class="moz-txt-link-freetext" href="http://wiki.openid.net/OpenID_Authentication_2_1#Initial_Editors">http://wiki.openid.net/OpenID_Authentication_2_1#Initial_Editors</a><br>
<br>
As far as I know, nobody has started work on the OpenID 2.1 spec yet.<br>
<br>
Allen<br>
<br>
<br>
Andrew Arnott wrote:
<blockquote
cite="mid:216e54900903091324vaef8b09wcc1fc675ad80e896@mail.gmail.com"
type="cite">A living security document? Awesome!<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - Voltaire<br>
<br>
<br>
<div class="gmail_quote">On Mon, Mar 9, 2009 at 11:55 AM, Allen Tom <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">Andrew - thanks for
documenting this potential security issue that RP
library developers must keep in mind when storing associations. As far
as I can tell, the OpenID 2.0 spec does not mention that RPs must key
the association with the OP-endpoint, although fortunately it appears
that libs already do this.<br>
<br>
The future OpenID 2.1 spec will contain a pointer to a living security
document which will definitely mention this issue.<br>
<br>
Thanks<br>
Allen<br>
<br>
<br>
<br>
Andrew Arnott wrote:
<blockquote type="cite">
<div>
<div class="h5">Ok, how about this:
<blockquote
style="border: medium none ; margin: 0pt 0pt 0pt 40px; padding: 0px;">A
relying party MUST key an association using its OP Endpoint and
association handle together for both storage and lookup.</blockquote>
<div>--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - Voltaire<br>
<br>
<br>
<div class="gmail_quote">On Sun, Mar 8, 2009 at 9:55 AM, Peter
Williams <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">If
it is
critical that some security enforcing function is done it
must be stated [in open standards communities (*)].</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Furthermore
the means by which one would detect violation of the
control must be normalized (so different libraries don’t use different
tests
to induce the error state). If there is an error state, the standard
should
normalize what is done, with the usual conformance rules (SHOULD, MUST,
etc).</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">What
we
don’t want is the that RP website designer has to
do any of this ; it has to be addressing by the library/protocol engine
delivering
a complete set of security enforcing functions. The only thing an app
designers
has to do is then profile the identifier syntax and the trust model
(just like
in https). We don’t want “special security engineering skills”
to be required, merely to addon websso to a website.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">--</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">(*)
In
some ISO-security/telematic standards produced in the late
1980s, many of the contributing global telco companies would withhold
10% of
the scheme from standardization in favor of “implementation knowhow”,
so standards acted as a barrier to entry. Typically, submarine patents
would be
being placed - addressing the 10% “effectiveness” areas - to
control the competitive phased of the market. It will be interesting to
see
what the culture is in OpenID too, where one sees such dominance of the
movement these days by mega-large companies, who are assuredly
patenting away
as we speak – given the way the Foundation is setup about patent issues.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div
style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span
style="font-size: 10pt;"> <a moz-do-not-send="true"
href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a moz-do-not-send="true"
href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Sunday, March 08, 2009 10:39 AM<br>
<b>To:</b> OpenID List
<div><br>
<b>Subject:</b> Re: [OpenID] Association poisoning</div>
</span></p>
</div>
</div>
<p> </p>
<p>Martin,</p>
<div>
<div>
<div>
<p> </p>
</div>
<div>
<p>Yes, that about sums it up. Since thinking of this
potential problem I couldn't find anywhere in the OpenID 2.0 spec that
calls
out the caution. If it isn't there, perhaps 2.1 can add it. </p>
</div>
<div>
<p> </p>
</div>
<div>
<p style="margin-bottom: 12pt;">As stated in my blog post, I
only checked Janrain's ruby library and dotnetopenid. I haven't
checked
any other RPs. I hope that anyone that owns an RP implementation will
check for this.<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death
your right to say it." - Voltaire<br>
<br>
</p>
<div>
<p>On Sun, Mar 8, 2009 at 9:20 AM, Martin Atkins <<a
moz-do-not-send="true" href="mailto:mart@degeneration.co.uk"
target="_blank">mart@degeneration.co.uk</a>> wrote:</p>
<div>
<p>Andrew Arnott wrote:</p>
<p>If you write an OpenID relying party library or custom
implementation, you<br>
might want to review a post I just wrote on a potential security hole
I've<br>
never heard anyone else talk about:<br>
<br>
<a moz-do-not-send="true"
href="http://blog.nerdbank.net/2009/03/openid-association-poisoning.html"
target="_blank">http://blog.nerdbank.net/2009/03/openid-association-poisoning.html</a></p>
<p> </p>
</div>
<p>So, just to be clear, the flaw here is employing a simple
assoc_handle to assoc secret mapping without considering which OP
belongs to
the assoc_handle?<br>
<br>
That is a pretty serious problem. Have you found any RP implementations
that
*are* vulnerable?<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a moz-do-not-send="true" href="mailto:general@openid.net"
target="_blank">general@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a></p>
</div>
<p> </p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<pre><hr size="4" width="90%"><div class="im">_______________________________________________
general mailing list
<a moz-do-not-send="true" href="mailto:general@openid.net"
target="_blank">general@openid.net</a>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a>
</div></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</blockquote>
<br>
</body>
</html>