[security] security hole in signature algorithm
Dick Hardt
dick at sxip.com
Mon Nov 20 19:40:49 UTC 2006
Ah, there it is! Seriously, I looked through the document and did not
find it, and when chatting with Recordon last week, I understood from
him the same thing I was thinking. (I might have misunderstood him)
Section 6.1 mislead me to think that it was the algorithm, as it
talks about appending the key and value to the list. Perhaps a link
to the KV algorithm there would be useful here?
-- Dick
On 20-Nov-06, at 10:37 AM, Josh Hoyt wrote:
> On 11/19/06, Dick Hardt <dick at sxip.com> wrote:
>> I don't see the newline and colon in this description. Is it hidden
>> somewhere else in the spec?
>
> I'm not sure I'd call it hidden. Under section 7 (Signatures)
> (this is draft 10 text)
>
> http://openid.net/specs/openid-authentication-2_0-10.html#anchor12
>
> ----
>
> 7.2. Procedure
>
> To generate a message signature:
>
> 1. Determine the appropriate signature list and signature algorithm
> from the association type (Establishing Associations).
> 2. Generate the list to be signed using the correct list algorithm.
> 3. Convert the list to an octet string by encoding with Key Value
> Form (Key-Value Form Encoding)
> 4. Apply the correct signature algorithm to the octet string.
>
> ----
>
> Josh
>
>
More information about the security
mailing list