-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Matt
>Which is the last 'the site' you're referring to, the Relying >Party >(e.g. ficlets)? Take a look at the Single Sign Out topics that >have >been discussed on the OpenID lists. Do you have a step by step >walkthrough example? Here are the steps I took 1. Logged onto the OpenID server (https://www.myopenid.com/signin) 2. Logged onto the ficlets.com with my OpenID (http://ficlets.com/signin/signin?ret=/) 3. Selected Trust forever on the OpenID server. 4. Logged out of ficlets.com. 5. Visited the my created site to log back on automatically. >> >> 2. The second problem is more serious you can create a specially >> crafted web page to automatically log on to a web site and also >add >> that web site to the allow forever trusted site. The only >> requirement is that you have to be logged onto the OpenID >server. > >How would you do this? Do you have an example? I do have a working example that works in 1 browser at the moment but I can't send it because it is currently being fixed by MyOpenID. When I find out it has been fixed I shall send the example to the list. >> >> Both cases can be prevented if the OpenID specification requires >> authorisation regardless of a cached token. > >That would defeat the purpose of some of the key benefits. I'd >like >to know more about which specific issues you're referring to. > >Thanks, >Matt > >> >> Cheers >> >> Gareth >> -----BEGIN PGP SIGNATURE----- >> Note: This signature can be verified at >https://www.hushtools.com/ >> verify >> Version: Hush 2.5 >> >> >wpwEAQECAAYFAkYBNAoACgkQrR8fg3y/m1BUeAQAlXk1/BfVU5InHjrrQ6uRP/EpPnM >F >> >XcQiIgRnPW+QVwlMkyXIFtjx112xT4BlaNrueKed2YUipfNdL9x+XEYGvRj+1qQTESA >H >> >vfV891koLJyiGPUC/keiTsDnGxJt6CesrFVzXXyVQXLRPk8AgeAUaBy1UvbP0zMxNkr >P >> dW0wgjo= >> =68JR >> -----END PGP SIGNATURE----- >> >> -- >> Click for FHA loan, $0 lender fees, low rates & approvals >nationwide >> http://tagline.hushmail.com/fc/CAaCXv1KYDvIFdAGCheS3qVfPXuAy8Jc/ >> >> >> _______________________________________________ >> security mailing list >> [email protected] >> http://openid.net/mailman/listinfo/security > >------------------ >Matt Pelletier >http://www.eastmedia.com -- EastMedia >http://www.informit.com/title/0321483502 -- The Mongrel Book >http://identity.eastmedia.com -- OpenID, Identity 2.0 -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYBfqMACgkQrR8fg3y/m1AvAwP+MpuOTiry3aCX5tt9eUf7UBNP/dom sdf5zyeO565qZTToCtPe2529vG5N2p4zfA1lZbVDb3FrEOzZjxV64QdKQDe/jEKFLowg 2dr6Zu/D7dOy5JubPh15YQBJrCg6MnoatfULf1wLCyptQRqXGljnBLMzPcRG5hUxsNSY 7/ObHBY= =H4dV -----END PGP SIGNATURE----- -- Need cash? Click to get an instant cash loan http://tagline.hushmail.com/fc/CAaCXv1KmkdemTRabrO9mG5o8ULcCjp6/ _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
