Paul C. Bryan wrote: > > 3. I the attacker, setup my attacking OpenID page > (http://attacker.org/attackjohn.html) with the following link > relationships: > > openid.server = http://rogeidp.org/openid > openid.delegate = http://secureid.org/jsmith > > 4. I go to John's favorite Wiki site, where he has authored a lot of > content and developed a reputation using his OpenID identity. I can > authenticate with the site just as he does, and impersonate him in all > of my further deeds. > > </scenario> > > So, am I missing something? >
Yes, you are. :) In the above situation, despite the "delegate" reference a site is required to use the "claimed identifier" http://attacker.org/attackjohn.html rather than the delegate identifier http://secureid.org/jsmith, so even if http://rogeidp.org/openid provides a positive assertion for http://secureid.org/jsmith the end site will identify you as http://attacker.org/attackjohn.html. You have gained nothing. _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
