[security] 2 possible flaws

Chris Drake christopher at pobox.com
Tue Apr 17 11:02:47 UTC 2007 

Hi gaz,

I think we should adopt the "normal" full-disclosure approach here?

As far as I know, there's a few different places who accept reported
vulnerabilities and "push them out" to registered vendors, who get a
time to poke at the problem, fix it, and then in due course, the (now
fixed) vulnerability gets published and the reporter gets the "fame"
for having found and helped improve everything.

Does anyone know more about the mechanics of this process?  While I'm
a subscriber to several of these reporting things for various system I
run, I've not actually *posted* a vulnerability before, let alone
worked out how to register a new product/service like OpenID.

CERT is the best known place that I know of.

Kind Regards,
Chris Drake


Tuesday, April 17, 2007, 7:26:20 PM, you wrote:

ghc> -----BEGIN PGP SIGNED MESSAGE-----
ghc> Hash: SHA1

ghc> Hi all

ghc> I have been thinking about 2 possible flaws with OpenID providers,
ghc> I haven't had time to test any of them however because I've started
ghc> work on another project.

ghc> Now they might not even exist or they could possibly create huge
ghc> flaws in every provider worse case. I would like someone to test my
ghc> theories and see if the holes are possible to exploit.

ghc> What do you think it the best policy here? Do you think it is safe
ghc> for me to publically dicuss this?

ghc> Cheers

ghc> Gareth
ghc> -----BEGIN PGP SIGNATURE-----
ghc> Note: This signature can be verified at
ghc> https://www.hushtools.com/verify
ghc> Version: Hush 2.5

ghc> wpwEAQECAAYFAkYkkkMACgkQrR8fg3y/m1CtSgP/Rn/9x6Syj2+h4Cig9Q7xckz10H2m
ghc> MwGyZ1CDMrFlQjR0tAeLA2PVspbm+FsxsJawd5xwDFye3r4dUo4FBHew+1DFpeENXkK9
ghc> R+hzov+nWtDsyWD/KkGMNnJKhtk7Olg2I8A3I7wJk0W60L0FYJcPrkUoInHrk3vFl25z
ghc> SIY13Iw=
ghc> =gJCA
ghc> -----END PGP SIGNATURE-----

ghc> --
ghc> Click for dental plans with huge savings, top service and coverage
ghc> http://tagline.hushmail.com/fc/CAaCXv1KbKwI3IpjFWyPg3WhkB9IL5tz/


ghc> _______________________________________________
ghc> security mailing list
ghc> security at openid.net
ghc> http://openid.net/mailman/listinfo/security

More information about the security mailing list