<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Re: [security] 2 possible flaws</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>I personally am not a huge fan of things like CERT. While working on Open Source projects seen too many people go file vulns without ever giving notice just to get their hacker handle out there.<BR>
<BR>
My vote would be to contact vulnerable IdPs, give them a few days to respond, and then discuss the issue here. On this list we can actually have a useful discussion around the issue, versus it just being submitted to a list somewhere.<BR>
<BR>
My $0.02.<BR>
<BR>
--David<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Chris Drake [<A HREF="mailto:christopher@pobox.com">mailto:christopher@pobox.com</A>]<BR>
Sent: Tuesday, April 17, 2007 04:04 AM Pacific Standard Time<BR>
To: gaz_sec@hushmail.com<BR>
Cc: security@openid.net<BR>
Subject: Re: [security] 2 possible flaws<BR>
<BR>
Hi gaz,<BR>
<BR>
I think we should adopt the "normal" full-disclosure approach here?<BR>
<BR>
As far as I know, there's a few different places who accept reported<BR>
vulnerabilities and "push them out" to registered vendors, who get a<BR>
time to poke at the problem, fix it, and then in due course, the (now<BR>
fixed) vulnerability gets published and the reporter gets the "fame"<BR>
for having found and helped improve everything.<BR>
<BR>
Does anyone know more about the mechanics of this process? While I'm<BR>
a subscriber to several of these reporting things for various system I<BR>
run, I've not actually *posted* a vulnerability before, let alone<BR>
worked out how to register a new product/service like OpenID.<BR>
<BR>
CERT is the best known place that I know of.<BR>
<BR>
Kind Regards,<BR>
Chris Drake<BR>
<BR>
<BR>
Tuesday, April 17, 2007, 7:26:20 PM, you wrote:<BR>
<BR>
ghc> -----BEGIN PGP SIGNED MESSAGE-----<BR>
ghc> Hash: SHA1<BR>
<BR>
ghc> Hi all<BR>
<BR>
ghc> I have been thinking about 2 possible flaws with OpenID providers,<BR>
ghc> I haven't had time to test any of them however because I've started<BR>
ghc> work on another project.<BR>
<BR>
ghc> Now they might not even exist or they could possibly create huge<BR>
ghc> flaws in every provider worse case. I would like someone to test my<BR>
ghc> theories and see if the holes are possible to exploit.<BR>
<BR>
ghc> What do you think it the best policy here? Do you think it is safe<BR>
ghc> for me to publically dicuss this?<BR>
<BR>
ghc> Cheers<BR>
<BR>
ghc> Gareth<BR>
ghc> -----BEGIN PGP SIGNATURE-----<BR>
ghc> Note: This signature can be verified at<BR>
ghc> <A HREF="https://www.hushtools.com/verify">https://www.hushtools.com/verify</A><BR>
ghc> Version: Hush 2.5<BR>
<BR>
ghc> wpwEAQECAAYFAkYkkkMACgkQrR8fg3y/m1CtSgP/Rn/9x6Syj2+h4Cig9Q7xckz10H2m<BR>
ghc> MwGyZ1CDMrFlQjR0tAeLA2PVspbm+FsxsJawd5xwDFye3r4dUo4FBHew+1DFpeENXkK9<BR>
ghc> R+hzov+nWtDsyWD/KkGMNnJKhtk7Olg2I8A3I7wJk0W60L0FYJcPrkUoInHrk3vFl25z<BR>
ghc> SIY13Iw=<BR>
ghc> =gJCA<BR>
ghc> -----END PGP SIGNATURE-----<BR>
<BR>
ghc> --<BR>
ghc> Click for dental plans with huge savings, top service and coverage<BR>
ghc> <A HREF="http://tagline.hushmail.com/fc/CAaCXv1KbKwI3IpjFWyPg3WhkB9IL5tz/">http://tagline.hushmail.com/fc/CAaCXv1KbKwI3IpjFWyPg3WhkB9IL5tz/</A><BR>
<BR>
<BR>
ghc> _______________________________________________<BR>
ghc> security mailing list<BR>
ghc> security@openid.net<BR>
ghc> <A HREF="http://openid.net/mailman/listinfo/security">http://openid.net/mailman/listinfo/security</A><BR>
<BR>
<BR>
<BR>
_______________________________________________<BR>
security mailing list<BR>
security@openid.net<BR>
<A HREF="http://openid.net/mailman/listinfo/security">http://openid.net/mailman/listinfo/security</A><BR>
</FONT>
</P>
</BODY>
</HTML>