Blogger: Bob Blakley
At Catalyst North America in San Francisco, I noted in my “New-School Identity Systems” talk that OpenID does not define the relationship between usernames and the names of the OpenID servers which authenticate the owners of those usernames. I went on to predict that this would cause security problems.
A number of participants came up to me after the presentation and assured me that I was wrong, and that the lack of a defined set of trust anchor names and a defined set of rules for which portions of the user namespace each trust anchor was responsible for doesn’t create security issues with OpenID.
They were wrong and I was right; Eugene and Vlad Tsyrklevitch give details of the attacks I predicted in this paper from Black Hat 2007. Their “Step 2” and “Step 4” attacks are precisely the sorts of things I’ve been expecting to see. Thanks to Pamela Dingle for pointing me to the text of the paper, which I’d heard of but not seen until this morning. There’s an accompanying presentation here.