Can we try to keep all this documentation on the actual OpenID wiki?<div><br></div><div>Is there a reason that this OpenID Review Google Site was created?</div><div><br></div><div>I just want to 1) keep things in a convenient, central place and 2) have a standard means to report these issues.</div>
<div><br></div><div>Also, using a <a href="http://non-openid.net">non-openid.net</a> domain seems, well, kind of like a missed opportunity.</div><div><br></div><div>Chris<br><br><div class="gmail_quote">On Mon, Nov 16, 2009 at 9:48 AM, Breno de Medeiros <span dir="ltr"><<a href="mailto:breno@google.com">breno@google.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Mike Hanson took the notes and shared them with Jeff Hodges and<br>
myself. I thought he had also sent them to the IIW note repository,<br>
but if he did not, here is a public accessible copy:<br>
<br>
<a href="http://docs.google.com/View?id=dg5g3zns_133c4ddn7hr" target="_blank">http://docs.google.com/View?id=dg5g3zns_133c4ddn7hr</a><br>
<div><div></div><div class="h5"><br>
On Sat, Nov 14, 2009 at 7:14 PM, Ashish Jain <<a href="mailto:email@ashishjain.com">email@ashishjain.com</a>> wrote:<br>
> Allen,<br>
> Here is a link to some more description around the issues:<br>
> <a href="https://sites.google.com/site/openidreview/issues" target="_blank">https://sites.google.com/site/openidreview/issues</a><br>
><br>
> Here is a link to the resources/papers that we mentioned:<br>
> <a href="https://sites.google.com/site/openidreview/resources" target="_blank">https://sites.google.com/site/openidreview/resources</a><br>
><br>
> I haven't been able to find notes from Breno's IIW session. Here is a link<br>
> to the whiteboard picture: <a href="http://www.flickr.com/photos/_nat/4075945912/" target="_blank">http://www.flickr.com/photos/_nat/4075945912/</a><br>
><br>
> Thanks,<br>
> -Ashish<br>
><br>
><br>
><br>
> On Fri, Nov 13, 2009 at 7:22 PM, Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
>><br>
>> Hi All,<br>
>><br>
>> There were several security discussions last week at the OpenID Summit and<br>
>> IIW, and it's about time that we follow up on them:<br>
>><br>
>> For those of you who weren't able to attend last week, some of the presos<br>
>> are here:<br>
>> <a href="http://wiki.openid.net/OpenIDSummit2009" target="_blank">http://wiki.openid.net/OpenIDSummit2009</a><br>
>><br>
>> And I started a wiki here:<br>
>> <a href="http://wiki.openid.net/SecurityIssues" target="_blank">http://wiki.openid.net/SecurityIssues</a><br>
>><br>
>> A new issue (at least to me) is the Session Swapping issue reported by<br>
>> Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A potential solution<br>
>> is to have the RP do something similar to a checkid_immediate request after<br>
>> receiving an assertion. This would allow the RP and OP to confirm that the<br>
>> assertion was actually issued by the OP to the user that's trying to<br>
>> authenticate at the RP, at the cost of another round trip.<br>
>><br>
>> Another issue that's always discussed is Phishing. While I don't think we<br>
>> will completely solve the phishing problem in the near future, there are<br>
>> things that we can do now to help protect users from phishing. The client<br>
>> side OpenID selectors that were demoed last week can potentially improve<br>
>> both usability and security for users who have them installed.<br>
>><br>
>> Some applications have issues with OpenID assertions being transmitted<br>
>> unencrypted via the user's browser. I believe that the Artifact Binding WG<br>
>> will try to address this issue.<br>
>><br>
>> Anything else? It looks like there's consensus that Single Sign Out should<br>
>> be deferred for the time being.<br>
>><br>
>> Allen<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> general mailing list<br>
>> <a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
><br>
><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
><br>
><br>
<br>
<br>
<br>
</div></div><font color="#888888">--<br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate<br><br>Personal: <a href="http://factoryjoe.com">http://factoryjoe.com</a><br>Follow me on Twitter: <a href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</a><br>
<br>Citizen Agency: <a href="http://citizenagency.com">http://citizenagency.com</a><br>Diso Project: <a href="http://diso-project.org">http://diso-project.org</a><br>OpenID Foundation: <a href="http://openid.net">http://openid.net</a><br>
<br>This email is: [ ] shareable [X] ask first [ ] private<br>
</div>