[security] 2 possible flaws

Recordon, David drecordon at verisign.com
Tue Apr 17 17:46:33 UTC 2007 

I personally am not a huge fan of things like CERT.  While working on Open Source projects seen too many people go file vulns without ever giving notice just to get their hacker handle out there.

My vote would be to contact vulnerable IdPs, give them a few days to respond, and then discuss the issue here.  On this list we can actually have a useful discussion around the issue, versus it just being submitted to a list somewhere.

My $0.02.

--David


 -----Original Message-----
From: 	Chris Drake [mailto:christopher at pobox.com]
Sent:	Tuesday, April 17, 2007 04:04 AM Pacific Standard Time
To:	gaz_sec at hushmail.com
Cc:	security at openid.net
Subject:	Re: [security] 2 possible flaws

Hi gaz,

I think we should adopt the "normal" full-disclosure approach here?

As far as I know, there's a few different places who accept reported
vulnerabilities and "push them out" to registered vendors, who get a
time to poke at the problem, fix it, and then in due course, the (now
fixed) vulnerability gets published and the reporter gets the "fame"
for having found and helped improve everything.

Does anyone know more about the mechanics of this process?  While I'm
a subscriber to several of these reporting things for various system I
run, I've not actually *posted* a vulnerability before, let alone
worked out how to register a new product/service like OpenID.

CERT is the best known place that I know of.

Kind Regards,
Chris Drake


Tuesday, April 17, 2007, 7:26:20 PM, you wrote:

ghc> -----BEGIN PGP SIGNED MESSAGE-----
ghc> Hash: SHA1

ghc> Hi all

ghc> I have been thinking about 2 possible flaws with OpenID providers,
ghc> I haven't had time to test any of them however because I've started
ghc> work on another project.

ghc> Now they might not even exist or they could possibly create huge
ghc> flaws in every provider worse case. I would like someone to test my
ghc> theories and see if the holes are possible to exploit.

ghc> What do you think it the best policy here? Do you think it is safe
ghc> for me to publically dicuss this?

ghc> Cheers

ghc> Gareth
ghc> -----BEGIN PGP SIGNATURE-----
ghc> Note: This signature can be verified at
ghc> https://www.hushtools.com/verify
ghc> Version: Hush 2.5

ghc> wpwEAQECAAYFAkYkkkMACgkQrR8fg3y/m1CtSgP/Rn/9x6Syj2+h4Cig9Q7xckz10H2m
ghc> MwGyZ1CDMrFlQjR0tAeLA2PVspbm+FsxsJawd5xwDFye3r4dUo4FBHew+1DFpeENXkK9
ghc> R+hzov+nWtDsyWD/KkGMNnJKhtk7Olg2I8A3I7wJk0W60L0FYJcPrkUoInHrk3vFl25z
ghc> SIY13Iw=
ghc> =gJCA
ghc> -----END PGP SIGNATURE-----

ghc> --
ghc> Click for dental plans with huge savings, top service and coverage
ghc> http://tagline.hushmail.com/fc/CAaCXv1KbKwI3IpjFWyPg3WhkB9IL5tz/


ghc> _______________________________________________
ghc> security mailing list
ghc> security at openid.net
ghc> http://openid.net/mailman/listinfo/security



_______________________________________________
security mailing list
security at openid.net
http://openid.net/mailman/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20070417/1964bba6/attachment-0002.htm>

More information about the security mailing list