[PROPOSAL] Giving Signatures/Assertions Context
Recordon, David
drecordon at verisign.com
Wed Nov 8 00:18:28 UTC 2006
The response message today doesn't include an identifier for the IdP/OP,
so this would be a new field that would be added to the message. Like I
said, in OpenID's case I don't think there is a reason why this
anonymity would be desired, though wanted to mention it in the broader
discussion.
--David
-----Original Message-----
From: Dick Hardt [mailto:dick at sxip.com]
Sent: Tuesday, November 07, 2006 4:15 PM
To: Recordon, David
Cc: specs at openid.net; security at openid.net
Subject: Re: [PROPOSAL] Giving Signatures/Assertions Context
On 7-Nov-06, at 3:42 PM, Recordon, David wrote:
> So I know I said no more proposals like a month ago, but this one
> helps from a security perspective around the signature on the
> response.
>
> Currently the response must have "return_to", "response_nonce" and
> then "disco_id" and "identity" if they are present. I'm proposing
> that we add to this requirement the following fields:
> - assoc_handle
> - URI identifier for the IdPs server endpoint
++1
I would not consider this a proposal, this is a bug fix!
>
> This helps to:
> - Make the signature clearly reflect the request
> - Gives the assertion/signature context on its own
> - Reduces the potential for replaying responses in differing
> contexts, though the nonce takes care of this already
>
> The main benefit is really helping to make the context of the response
> more clear so that a response on its own clearly shows the IdP it is
> from, the association handle, along with where the user is being sent,
> the nonce, and the identifier.
>
> The one potential point for objection we see is that there are times
> when a signer may wish to remain anonymous, but rather leave it to the
> recipient to know who they are. I don't see this as a concern within
> OpenID as it stands today, though wanted to mention it for
> completeness.
side note: Would you explain how the signer can be anonymous? The OP URL
in the message must match what is found during discovery.
More information about the specs
mailing list