[security] AX Security in python-openid
Nat Sakimura
sakimura at gmail.com
Fri Jul 27 17:43:20 UTC 2012
Actually, you should never use anything but the openid.claimed_id in
the positive assertion to identify the user.
This or openid.identity are the only values that could possibly be
used to identify the user.
You may also want to read this:
http://nat.sakimura.org/2012/04/27/comments-on-wang-chen-wang-paper/
Nat
On Fri, Jul 27, 2012 at 10:54 AM, Mike Sun <msun at bluespot.org> wrote:
> Hi --
>
> I'm using python-openid for my RP and Google Marketplace wanted to make sure
> this implementation is not vulnerable to spoofed, non-signed attributes such
> as email addresses.
>
> See:
> http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html
>
> Looking at the python-openid code, it seems that the default requires that
> only signed attributes are allowed to passed in the response.
>
> See:
> https://github.com/openid/python-openid/blob/master/openid/extensions/ax.py
>
> Can anyone confirm that it is true that python-openid checks that the
> attribute is signed by the correct corresponding IDP?
>
> Thanks,
> Mike
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
More information about the security
mailing list