fritte02 / lightopenid

Automatically exported from code.google.com/p/lightopenid
0 stars 0 forks source link

Ax/SReg Params may be unsigned #64

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
When user is returned form IdP (mode = id_res), a list of signed attributes and 
a signature is included. There is no guarantee that all attributes (ax 
attributes or sreg attributes) will be signed. This allows an attacker to 
assert attributes that are unsigned, and if the relying party uses them, they 
can be falsified.

For relying parties who need to have confidence in those items, there should be 
a way to tell which attributes are signed, or to only request attributes that 
are signed. Perhaps a flag to getAttributes($signedOnly = false);

I can work up a patch if you agree.

Original issue reported on code.google.com by john.les...@gmail.com on 9 Apr 2013 at 2:57