Two Identifiers - no caching advantage

Dick Hardt dick at sxip.com
Thu Oct 19 07:12:52 UTC 2006


After reading though:

	http://www.lifewiki.net/openid/ConsolidatedDelegationProposal

I have concluded there is no caching advantage

Specifically if you look at these two sections:



RP Rules for Identifier Parameters

Case 3: URL WITH IdP-Specific Identifier

If Portable Identifier is a URL that DOES map to a IdP-Specific  
Identifier, the values are:

openid.identity = IdP-Specific Identifier
openid.portable = Portable Identifier

IdP Rules for Identifier Parameters

3. If openid.identity = Portable Identifier that IdP does not  
recognize, IdP MUST to discovery to obtain the IdP-Specific Identifier.



I conclude the following:

*** Given IdP Rule 3, the IdP must bind the IdP-Specific Identifier  
and the Portable Identifier, so the RP sending both does may save the  
IdP effort, but leaves a potential security issue. (see Cached  
Discovery Attack below)

*** the RP is using the Portable Identifier to identify the user, and  
does nothing with the IdP-Specific Identifier, so there is no value  
in the IdP sending both the Portable Identifier and the IdP-Specific  
Identifier. Note that the RP either maintains state that the IdP is  
bound to the Portable Identifier, or needs to do discover again.

=> The only reason for the RP to send the openid.identity to the IdP  
is for backward compatibility with OpenID 1.x, similarly the only  
reason for the IdP to send openid.identity to the RP is for OpenID  
1.x compatibility. There are no caching advantages.



Cached Discovery Attack:

A malicious user takes over my blog, opens an account at the same IdP  
I use, inserts her IdP-Specific Identifier into my blog, and then  
uses my blog URL. The IdP will see the blog URL and the IdP-Specific  
Identifier don't match, do discovery on the blog URL, and then map my  
blog URL (Portable Identifier) to her IdP-Specific Identifier.

I discover that my blog URL has been hacked, and restore my IdP- 
Specific Identifier.

The malicious user goes to an RP, that providing her blog URL that  
contains her IdP-Specific Identifier. She captures the message from  
the RP, and changes the Portable Identifier to be my blog URL. The  
IdP still thinks the Portable Identifier is mapped to her IdP- 
Specific Identifier, and allows her to login to the RP as me.

Solutions:

1) The IdP does discovery on the blog URL each time it is used.
2) The IdP has complex logic to ...





More information about the specs mailing list