RP attack vector - why two identifiers are redundant
Dick Hardt
dick at sxip.com
Sun Oct 15 04:39:03 UTC 2006
On 14-Oct-06, at 9:17 PM, Josh Hoyt wrote:
> On 10/14/06, Dick Hardt <dick at sxip.com> wrote:
>> Since the request is not signed and flows through the user, the IdP
>> does not know the request message has not been modified. If the IdP
>> assumes the two identifiers are bound, then a malicious user can
>> pretend to be a different user from the same IdP to the RP. This
>> presumes the IdP is using an IdP identifier and the RP is using an RP
>> identifier and the binding is assumed by sending both.
>>
>> Therefore, the IdP MUST make sure the two identifiers are linked, so
>> sending both is redundant for the IdP.
>
> The relying party knows both identifiers from doing discovery, and it
> must check to make sure they match what is in the assertion.
Actually, the RP needs to bind the IdP to the presented_identifier.
> Since the
> relying party MUST make sure it matches, the IdP doesn't have to. I
> would say that the IdP SHOULD check to make sure it's valid, but it's
> not strictly required.
The IdP needs to bind the user they have authenticated, to the
presented_identifier.
Per my other email, the display_identifier is just a hint and is not
needed.
-- Dick
More information about the specs
mailing list