[security] AX Security in python-openid
John Bradley
ve7jtb at ve7jtb.com
Fri Jul 27 17:52:09 UTC 2012
Attributes being signed is not a requirement for the AX spec and hence the concern if you are depending on verified attributes like email.
There is likely a configuration option in python-openid to reject unsigned attributes, but I don't know the code.
John B.
On 2012-07-26, at 6:54 PM, Mike Sun wrote:
> Hi --
>
> I'm using python-openid for my RP and Google Marketplace wanted to make sure this implementation is not vulnerable to spoofed, non-signed attributes such as email addresses.
>
> See: http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html
>
> Looking at the python-openid code, it seems that the default requires that only signed attributes are allowed to passed in the response.
>
> See: https://github.com/openid/python-openid/blob/master/openid/extensions/ax.py
>
> Can anyone confirm that it is true that python-openid checks that the attribute is signed by the correct corresponding IDP?
>
> Thanks,
> Mike
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20120727/8e6ba4c8/attachment.html>
More information about the security
mailing list