> If it's a protocol issue there are several providers that > can be hurt, so pls exercise restraint in disclosing before > other providers apart from MyOpenID have a chance to act!
That's a great point Hans, we'll exercise restraint as well if that's the case. > Best would be some timeline to get concerned implementations > chance to contact you and ask if their provider is vulnerable > (like I did in a separate email) and then give some time for > these parties to patch? Excellent idea. This seems like a great wiki topic "How to report a security vulnerability". - Scott >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] >> Sent: Wednesday, March 21, 2007 12:15 PM >> To: [email protected] >> Subject: Re: [security] MyOpenID >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> No in my opinion the provider is following the correct >> implementation of OpenID so I think it is a problem with >> OpenID itself. It can be easily solved but provides >> inconvenience to the user of the OpenID service. I shall >> email the flaw once the provider has got back to me with a fix. >> >> On Wed, 21 Mar 2007 18:55:21 +0000 "Paul C. Bryan" >> <[EMAIL PROTECTED]> wrote: >>> On Wed, 2007-03-21 at 18:51 +0000, [EMAIL PROTECTED] wrote: >>> >>>> I do have a working example that works in 1 browser at the >>> moment but >>>> I can't send it because it is currently being fixed by MyOpenID. >>> When >>>> I find out it has been fixed I shall send the example to the >>> list. >>> >>> Presumably, then, this second case is a bug in a provider >>> implementation, not the protocol. >>> >>> Paul >> -----BEGIN PGP SIGNATURE----- >> Note: This signature can be verified at >> https://www.hushtools.com/verify >> Version: Hush 2.5 >> >> wpwEAQECAAYFAkYBg/QACgkQrR8fg3y/m1DD2AP/RK99u+piuJIZSeagnKa52/GOHfQz >> 8gpMXEbYyqdoEBXaTFZOf70PdlKXvHmTfQHj3r4RPu/kfL7PCne8pxYMUYKMqzZvNr1i >> kysiLUxvpwqpSfL8+DUPVUaR7UcHNTgiZxUB3ODAEg8Id3Pv3balBKqq6QDd20PObzgx >> oeObZs4= >> =dOvu >> -----END PGP SIGNATURE----- >> >> -- >> Click for home mortgage, fast & free, no lender fee, approval >> today http://tagline.hushmail.com/fc/CAaCXv1QbtYaYul5oRPJFR00oaubsEo0/ >> >> >> _______________________________________________ >> security mailing list >> [email protected] >> http://openid.net/mailman/listinfo/security >> > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security > _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
