<div>I wanted to expand the scope of the recent email address as primary identifier exploit and call out the caution so that folks who are currently fixing their RPs can also be aware of another issue to check for.</div><div>
</div><div>Even when the email address is signed, if it came from the wrong OP Endpoint of course it can't be trusted. I'm concerned because I suspect a lot of RPs naively assume that if the OP they trust is the only one they send their users to, that that is the only OP they'll get a response from. Of course with unsolicited assertions that's not the case, and RPs must go to extra trouble to disable unsolicited assertions and many of them may not be doing that. So I'm <em>guessing</em> that a lot of RPs out there that misuse email address as the primary identifier are vulnerable to a signed email address from a rogue OP attack. </div>
<div> </div><div>Particularly to those OPs that tend to be trusted for email addresses and are already in contact with their RPs lately, maybe this would make a good addition to their advisories. I'm happy to provide instructions for you to forward to your DotNetOpenAuth RPs if desired.</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
</div>