If it's a protocol issue there are several providers that can be hurt, so pls exercise restraint in disclosing before other providers apart from MyOpenID have a chance to act!
Best would be some timeline to get concerned implementations chance to contact you and ask if their provider is vulnerable (like I did in a separate email) and then give some time for these parties to patch? Thanks, Hans > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Wednesday, March 21, 2007 12:15 PM > To: [email protected] > Subject: Re: [security] MyOpenID > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > No in my opinion the provider is following the correct > implementation of OpenID so I think it is a problem with > OpenID itself. It can be easily solved but provides > inconvenience to the user of the OpenID service. I shall > email the flaw once the provider has got back to me with a fix. > > On Wed, 21 Mar 2007 18:55:21 +0000 "Paul C. Bryan" > <[EMAIL PROTECTED]> wrote: > >On Wed, 2007-03-21 at 18:51 +0000, [EMAIL PROTECTED] wrote: > > > >> I do have a working example that works in 1 browser at the > >moment but > >> I can't send it because it is currently being fixed by MyOpenID. > >When > >> I find out it has been fixed I shall send the example to the > >list. > > > >Presumably, then, this second case is a bug in a provider > >implementation, not the protocol. > > > >Paul > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at > https://www.hushtools.com/verify > Version: Hush 2.5 > > wpwEAQECAAYFAkYBg/QACgkQrR8fg3y/m1DD2AP/RK99u+piuJIZSeagnKa52/GOHfQz > 8gpMXEbYyqdoEBXaTFZOf70PdlKXvHmTfQHj3r4RPu/kfL7PCne8pxYMUYKMqzZvNr1i > kysiLUxvpwqpSfL8+DUPVUaR7UcHNTgiZxUB3ODAEg8Id3Pv3balBKqq6QDd20PObzgx > oeObZs4= > =dOvu > -----END PGP SIGNATURE----- > > -- > Click for home mortgage, fast & free, no lender fee, approval > today http://tagline.hushmail.com/fc/CAaCXv1QbtYaYul5oRPJFR00oaubsEo0/ > > > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security > _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
