[nycbug-talk] know OpenID VERY well?

Jonathan Vanasco nycbug-list at 2xlp.com
Mon Jun 2 18:57:51 EDT 2008

A few years ago I thought I spotted a security vulnerability in the  
design of the protocol.  I've never had time to properly inspect.

This is definitely an 'edge case' and caused by the implementation of  
OpenID, not a flaw in the protocol.

If you know the protocol very well and have an open mind, please be  
in touch ( Most people who know OpenID are evangelists and outright  
dismiss any criticism )

  if I'm right about this, we can author the paper + test case  
together.   If I'm wrong about this, at least my nerves can be put at  

You need to know OpenID REALLY well to confirm/laugh at my suspicions  
-- it has to do with the order of events and protocol requirements,  
and I could be 100% off about this.

More information about the talk mailing list