RP attack vector - why two identifiers are redundant

Dick Hardt dick at sxip.com
Sun Oct 15 04:39:03 UTC 2006


On 14-Oct-06, at 9:17 PM, Josh Hoyt wrote:

> On 10/14/06, Dick Hardt <dick at sxip.com> wrote:
>> Since the request is not signed and flows through the user, the IdP
>> does not know the request message has not been modified. If the IdP
>> assumes the two identifiers are bound, then a malicious user can
>> pretend to be a different user from the same IdP to the RP. This
>> presumes the IdP is using an IdP identifier and the RP is using an RP
>> identifier and the binding is assumed by sending both.
>>
>> Therefore, the IdP MUST make sure the two identifiers are linked, so
>> sending both is redundant for the IdP.
>
> The relying party knows both identifiers from doing discovery, and it
> must check to make sure they match what is in the assertion.

Actually, the RP needs to bind the IdP to the presented_identifier.

> Since the
> relying party MUST make sure it matches, the IdP doesn't have to. I
> would say that the IdP SHOULD check to make sure it's valid, but it's
> not strictly required.

The IdP needs to bind the user they have authenticated, to the  
presented_identifier.

Per my other email, the display_identifier is just a hint and is not  
needed.

-- Dick



More information about the specs mailing list