Hi Gareth, > I have been thinking about 2 possible flaws with OpenID providers, > I haven't had time to test any of them however because I've started > work on another project. > > Now they might not even exist or they could possibly create huge > flaws in every provider worse case. I would like someone to test my > theories and see if the holes are possible to exploit. > > What do you think it the best policy here? Do you think it is safe > for me to publically dicuss this?
I'm still in the process of implementing an OP and would really like to know about any security problems before roll-out. Maybe we should assemble a list of currently active OPs so you can notify them maybe a week days in advance and then publicly discuss? johannes
signature.asc
Description: This is a digitally signed message part
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
