[security] reporting security flaws
John Bradley
ve7jtb at ve7jtb.com
Mon Mar 3 08:17:20 UTC 2014
Hi James,
The work group is discussing the issue on calls and at our F2F meetings in London this week.
Mike and Nat were tasked with interacting with you on this to keep the noise level down.
The self-issued functionality is currently only being experimented with by a couple of people who are aware of the issue.
The issue will be addressed but we want to do it once correctly rather than in steps.
Thanks for the input. We will likely be back to you off list with possible errata text soon.
Regards
John B.
On Mar 2, 2014, at 11:43 PM, Manger, James <James.H.Manger at team.telstra.com> wrote:
> [was RE: [security] OIC self-issued mode is insecure]
>
>> I'm not sure everyone in the Connect WG follows this list -- suggest we
>> get it into the WG mailing list so it is visible to all the
>> participants, and into bitbucket as a tracked issue, if it isn't
>> already (I haven't seen the notice come through but may have just
>> missed it).
>
> Sounds sensible, though I cannot do it as I don't have permission.
>
> Needing to sign a legal contribution agreement and join a working group mailing list seems far too high a hurdle to report a security flaw. Clean IPR is important, but an easy feedback channel to ensure the group hears about security issues is even more important.
>
> --
> James Manger
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20140303/af6d2de7/attachment.p7s>
More information about the security
mailing list