Actually, you should never use anything but the openid.claimed_id in the positive assertion to identify the user. This or openid.identity are the only values that could possibly be used to identify the user.
You may also want to read this: http://nat.sakimura.org/2012/04/27/comments-on-wang-chen-wang-paper/ Nat On Fri, Jul 27, 2012 at 10:54 AM, Mike Sun <[email protected]> wrote: > Hi -- > > I'm using python-openid for my RP and Google Marketplace wanted to make sure > this implementation is not vulnerable to spoofed, non-signed attributes such > as email addresses. > > See: > http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html > > Looking at the python-openid code, it seems that the default requires that > only signed attributes are allowed to passed in the response. > > See: > https://github.com/openid/python-openid/blob/master/openid/extensions/ax.py > > Can anyone confirm that it is true that python-openid checks that the > attribute is signed by the correct corresponding IDP? > > Thanks, > Mike > > _______________________________________________ > security mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-security > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
