[security] Email addresses as primary identifiers, and unsolicited assertions

[Andrew Arnott]

I wanted to expand the scope of the recent email address as primary
identifier exploit and call out the caution so that folks who are currently
fixing their RPs can also be aware of another issue to check for.

Even when the email address is signed, if it came from the wrong OP Endpoint
of course it can't be trusted.  I'm concerned because I suspect a lot of RPs
naively assume that if the OP they trust is the only one they send their
users to, that that is the only OP they'll get a response from.  Of course
with unsolicited assertions that's not the case, and RPs must go to extra
trouble to disable unsolicited assertions and many of them may not be doing
that.  So I'm *guessing* that a lot of RPs out there that misuse email
address as the primary identifier are vulnerable to a signed email address
from a rogue OP attack.

Particularly to those OPs that tend to be trusted for email addresses and
are already in contact with their RPs lately, maybe this would make a good
addition to their advisories.  I'm happy to provide instructions for you to
forward to your DotNetOpenAuth RPs if desired.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110421/17cdc981/attachment.html>