[Openid-specs-ab] Issue #1300: Requirement for Binding between IA's claim set subject and IdA's ID Token subject (openid/connect)
Edmund Jay
issues-reply at bitbucket.org
Thu Aug 19 08:18:06 UTC 2021
New issue 1300: Requirement for Binding between IA's claim set subject and IdA's ID Token subject
https://bitbucket.org/openid/connect/issues/1300/requirement-for-binding-between-ias-claim
Edmund Jay:
Comments from TL regarding for [pull request #39](https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca)
[https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238238135](https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238238135)
Torsten Lodderstedt 2021-07-24
I think this is a much to strong requirement. See above: the fact the user has successfully authenticated with both entities typically suffices.
Nat Sakimura 2021-08-09
How does CC find that the claimset has been obtained through the act of active authentication towards the IA? The attacker may have obtained the claimset as a CC before and replaying it.
Tobias Looker 2021-08-09
But if those events cannot be linked appropriately then the delegation occurring between IA to the IdA cannot be validated. Essentially because the IdA is presenting claims on behalf of the IA the RP must be able to validate this.
More information about the Openid-specs-ab
mailing list