Likewise, the protocol can be defined as weak where someone may
apply additive security on top of it. Kinda like doing SMTP over TLS
and/or S/MIME.
Is that what Ben Laurie meant in the footnote?
http://openid.net/pipermail/security/2008-August/000404.html
A given implementation of OpenID *might
-Original Message-
From: Peter Watkins [mailto:pet...@tux.org]
Sent: Friday, February 06, 2009 8:29 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID Security
>> What do you mean, "the" implementation? There is no "the"
implementation
On Fri, Feb 06, 2009 at 03:43:30PM -0500, McGovern, James F (HTSC, IT) wrote:
> 2. Which is worse, having to sort through false positives or to not
> perform static analysis at all and have OpenID fail once some bad guy
> busts the implementation so badly that everyone runs away from OpenID?
What
ty Compass (http://www.securitycompass.com) Artec
> (http://www.artecgroup.net) and Cigital (http://www.cigital.com)
>
> Date: Thu, 5 Feb 2009 15:48:06 -0500
> From: Darren Bounds
> Subject: Re: OpenID Security
> To: "McGovern, James F (HTSC, IT)"
> Cc: specs@openid.ne
on't have to worry
>> about licensing as OWASP (http://www.owasp.org) will scan at no cost...
>>
>> ----------
>>
>> Message: 1
>> Date: Fri, 6 Feb 2009 01:34:33 +0900
>> From: Nat Sakimura
>> Subject: Re: OpenID Security
>> To: "McGovern, James F (HTSC, IT)
Yes. I think the protocol testing site idea is already on the table.
=nat
On Fri, Feb 6, 2009 at 7:34 AM, SitG Admin
wrote:
>> If OIDF wants to certify something, it should certify compliance to the
>> OpenID standard.
>
> +1; different parties employing OpenID might have/practice/need different
If OIDF wants to certify something, it should certify compliance to the
OpenID standard.
+1; different parties employing OpenID might have/practice/need
different security standards, too (let the first people to want
OWASP, submit the libraries they're thinking of using to OWASP).
-Shade
___
On Fri, Feb 06, 2009 at 01:34:33AM +0900, Nat Sakimura wrote:
> It might be worthwhile for somebody like OIDF to buy a
> license and run a certification program out of it.
If OIDF wants to certify something, it should certify compliance to the
OpenID standard. It would be good for OIDF to make an
.org) will scan at no cost...
>
> --
>
> Message: 1
> Date: Fri, 6 Feb 2009 01:34:33 +0900
> From: Nat Sakimura
> Subject: Re: OpenID Security
> To: "McGovern, James F (HTSC, IT)"
> Cc: specs@openid.net
> Message-ID:
>
> Content-Type: text
Yeah. Fortify is nice. I do not know what would be the licensing terms
now, but before, it used to have a "traveling" kind of license that
allowed consultants to do the evaluation for the projects of their
customers. It might be worthwhile for somebody like OIDF to buy a
license and run a certifica
10 matches
Mail list logo
