<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Thanks Andrew, I think DNOA is the only RP lib doing that.<div><br></div><div>John B.<br><div><div>On 2011-03-24, at 3:27 PM, Andrew Arnott wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">FYI, DotNetOpenAuth performs CRL checks regardless of profile if the web.config file is set correctly. All the samples DNOA ships with have this turned on by default. <br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
<div><span style="line-height:14px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:13px">We're hiring! My team at Microsoft has 7 open slots. <a href="http://bit.ly/fZBVUo" target="_blank">http://bit.ly/fZBVUo</a></span></div>
<br>
<br><br><div class="gmail_quote">On Thu, Mar 24, 2011 at 10:19 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">The obvious vulnerability would be an attacker that knew some number of openId at a given RP, by spoofing DNS and SSL they could cain access to those accounts by setting up a Rogue IdP with the fraudulent SSL cert. <div>
<br></div><div>This requires a DNS or routing venerability at the RP to be successful.</div><div><br></div><div>Not an easy attack.</div><div><br></div><div>However no attack is good.</div><div><br></div><div>For the FICAM openID profile we required OCSP or CRL checking for RP to mitigate this risk.</div>
<div><br></div><div>John B.</div><div><div></div><div class="h5"><div><br><div><div>On 2011-03-24, at 1:08 PM, Mike Hanson wrote:</div><br><blockquote type="cite"><div style="word-wrap:break-word">Thanks for the clarification, Phillip.<div>
<br></div><div>m</div><div><br><div><div>On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote:</div><br><blockquote type="cite">No login servers were affected.<div><br></div><div>Several domains on which the servers are deployed were affected but not the login servers.</div>
<div><br></div><div><br><br><div class="gmail_quote">On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <span dir="ltr"><<a href="mailto:mhanson@mozilla.com" target="_blank">mhanson@mozilla.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Comodo has posted a detail incident report here:<br>
<a href="http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html" target="_blank">http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html</a><br>
<br>
Several login servers were affected.<br>
<br>
-MH<br>
<div><div></div><div><br>
<br>
On Mar 24, 2011, at 7:09 AM, John Bradley wrote:<br>
<br>
><br>
><br>
> <a href="http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular" target="_blank">http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular</a><br>
><br>
> The browser venders blocking those certificates is nice, however there are attacks on RP that could be done with those certificates that are still open.<br>
><br>
> In testing something like 0% of RP check OCSP or CRL, the libs don't force openSSL to so those checks (I think DNOA will do them in FICAM mode)<br>
><br>
> So perhaps encouraging people to perform those checks would be a good idea.<br>
><br>
> We can only hope that none of the 9 certificates cover openID OP, otherwise user accounts at RP could theoretically be compromised.<br>
><br>
> John B.<br>
><br>
><br>
</div></div>> _______________________________________________<br>
> security mailing list<br>
> <a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
<br>
_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Website: <a href="http://hallambaker.com/" target="_blank">http://hallambaker.com/</a><br><br>
</div>
</blockquote></div><br></div></div></blockquote></div><br></div></div></div></div><br>_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@lists.openid.net">security@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
<br></blockquote></div><br>
</blockquote></div><br></div></body></html>