[nycbug-talk] know OpenID VERY well?
nycbug-list at 2xlp.com
Mon Jun 2 18:57:51 EDT 2008
A few years ago I thought I spotted a security vulnerability in the
design of the protocol. I've never had time to properly inspect.
This is definitely an 'edge case' and caused by the implementation of
OpenID, not a flaw in the protocol.
If you know the protocol very well and have an open mind, please be
in touch ( Most people who know OpenID are evangelists and outright
dismiss any criticism )
if I'm right about this, we can author the paper + test case
together. If I'm wrong about this, at least my nerves can be put at
You need to know OpenID REALLY well to confirm/laugh at my suspicions
-- it has to do with the order of events and protocol requirements,
and I could be 100% off about this.
More information about the talk