-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have no problem with that either, I am currently investigating other browsers. If anyone has an OpenID service that they wish me to have a quick look at then please contact me.
On Wed, 21 Mar 2007 20:25:24 +0000 Scott Kveton <[EMAIL PROTECTED]> wrote: >> If it's a protocol issue there are several providers that >> can be hurt, so pls exercise restraint in disclosing before >> other providers apart from MyOpenID have a chance to act! > >That's a great point Hans, we'll exercise restraint as well if >that's the >case. > >> Best would be some timeline to get concerned implementations >> chance to contact you and ask if their provider is vulnerable >> (like I did in a separate email) and then give some time for >> these parties to patch? > >Excellent idea. This seems like a great wiki topic "How to report >a >security vulnerability". > >- Scott > > > > >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On Behalf Of >[EMAIL PROTECTED] >>> Sent: Wednesday, March 21, 2007 12:15 PM >>> To: [email protected] >>> Subject: Re: [security] MyOpenID >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> No in my opinion the provider is following the correct >>> implementation of OpenID so I think it is a problem with >>> OpenID itself. It can be easily solved but provides >>> inconvenience to the user of the OpenID service. I shall >>> email the flaw once the provider has got back to me with a fix. >>> >>> On Wed, 21 Mar 2007 18:55:21 +0000 "Paul C. Bryan" >>> <[EMAIL PROTECTED]> wrote: >>>> On Wed, 2007-03-21 at 18:51 +0000, [EMAIL PROTECTED] wrote: >>>> >>>>> I do have a working example that works in 1 browser at the >>>> moment but >>>>> I can't send it because it is currently being fixed by >MyOpenID. >>>> When >>>>> I find out it has been fixed I shall send the example to the >>>> list. >>>> >>>> Presumably, then, this second case is a bug in a provider >>>> implementation, not the protocol. >>>> >>>> Paul >>> -----BEGIN PGP SIGNATURE----- >>> Note: This signature can be verified at >>> https://www.hushtools.com/verify >>> Version: Hush 2.5 >>> >>> >wpwEAQECAAYFAkYBg/QACgkQrR8fg3y/m1DD2AP/RK99u+piuJIZSeagnKa52/GOHfQ >z >>> >8gpMXEbYyqdoEBXaTFZOf70PdlKXvHmTfQHj3r4RPu/kfL7PCne8pxYMUYKMqzZvNr1 >i >>> >kysiLUxvpwqpSfL8+DUPVUaR7UcHNTgiZxUB3ODAEg8Id3Pv3balBKqq6QDd20PObzg >x >>> oeObZs4= >>> =dOvu >>> -----END PGP SIGNATURE----- >>> >>> -- >>> Click for home mortgage, fast & free, no lender fee, approval >>> today >http://tagline.hushmail.com/fc/CAaCXv1QbtYaYul5oRPJFR00oaubsEo0/ >>> >>> >>> _______________________________________________ >>> security mailing list >>> [email protected] >>> http://openid.net/mailman/listinfo/security >>> >> _______________________________________________ >> security mailing list >> [email protected] >> http://openid.net/mailman/listinfo/security >> -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYBlvcACgkQrR8fg3y/m1AkFQP+OTaPmRWd04oX8iZ+O1pRrqoA7+2/ nJtn5C9OftCI3aNh5QtSvX0rT5lYrgo9jvgMR0RaNq39utfPnSMNApVhQdQUcFIeJiXP XjkZ2oCkkenRttVySjV2iOUz27R13ji96V+JQiU78t4HwAPvaFZeCM/lvo/8ZnbPw6kt y7VNXiM= =ptoz -----END PGP SIGNATURE----- -- Click for free info on college degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1JDieUs9Wzh8zh5ZypUnTilxXX/ _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
