[security] security hole in signature algorithm
Josh Hoyt
josh at janrain.com
Mon Nov 20 18:37:48 UTC 2006
On 11/19/06, Dick Hardt <dick at sxip.com> wrote:
> I don't see the newline and colon in this description. Is it hidden
> somewhere else in the spec?
I'm not sure I'd call it hidden. Under section 7 (Signatures)
(this is draft 10 text)
http://openid.net/specs/openid-authentication-2_0-10.html#anchor12
----
7.2. Procedure
To generate a message signature:
1. Determine the appropriate signature list and signature algorithm
from the association type (Establishing Associations).
2. Generate the list to be signed using the correct list algorithm.
3. Convert the list to an octet string by encoding with Key Value
Form (Key-Value Form Encoding)
4. Apply the correct signature algorithm to the octet string.
----
Josh
More information about the specs
mailing list