The obvious vulnerability would be an attacker that knew some number of openId at a given RP, by spoofing DNS and SSL they could cain access to those accounts by setting up a Rogue IdP with the fraudulent SSL cert.
This requires a DNS or routing venerability at the RP to be successful. Not an easy attack. However no attack is good. For the FICAM openID profile we required OCSP or CRL checking for RP to mitigate this risk. John B. On 2011-03-24, at 1:08 PM, Mike Hanson wrote: > Thanks for the clarification, Phillip. > > m > > On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote: > >> No login servers were affected. >> >> Several domains on which the servers are deployed were affected but not the >> login servers. >> >> >> >> On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <[email protected]> wrote: >> Comodo has posted a detail incident report here: >> http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html >> >> Several login servers were affected. >> >> -MH >> >> >> On Mar 24, 2011, at 7:09 AM, John Bradley wrote: >> >> > >> > >> > http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular >> > >> > The browser venders blocking those certificates is nice, however there are >> > attacks on RP that could be done with those certificates that are still >> > open. >> > >> > In testing something like 0% of RP check OCSP or CRL, the libs don't force >> > openSSL to so those checks (I think DNOA will do them in FICAM mode) >> > >> > So perhaps encouraging people to perform those checks would be a good idea. >> > >> > We can only hope that none of the 9 certificates cover openID OP, >> > otherwise user accounts at RP could theoretically be compromised. >> > >> > John B. >> > >> > >> > _______________________________________________ >> > security mailing list >> > [email protected] >> > http://lists.openid.net/mailman/listinfo/openid-security >> >> _______________________________________________ >> security mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-security >> >> >> >> -- >> Website: http://hallambaker.com/ >> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
