Two Identifiers - no caching advantage
Dick Hardt
dick at sxip.com
Thu Oct 19 07:12:52 UTC 2006
After reading though:
http://www.lifewiki.net/openid/ConsolidatedDelegationProposal
I have concluded there is no caching advantage
Specifically if you look at these two sections:
RP Rules for Identifier Parameters
Case 3: URL WITH IdP-Specific Identifier
If Portable Identifier is a URL that DOES map to a IdP-Specific
Identifier, the values are:
openid.identity = IdP-Specific Identifier
openid.portable = Portable Identifier
IdP Rules for Identifier Parameters
3. If openid.identity = Portable Identifier that IdP does not
recognize, IdP MUST to discovery to obtain the IdP-Specific Identifier.
I conclude the following:
*** Given IdP Rule 3, the IdP must bind the IdP-Specific Identifier
and the Portable Identifier, so the RP sending both does may save the
IdP effort, but leaves a potential security issue. (see Cached
Discovery Attack below)
*** the RP is using the Portable Identifier to identify the user, and
does nothing with the IdP-Specific Identifier, so there is no value
in the IdP sending both the Portable Identifier and the IdP-Specific
Identifier. Note that the RP either maintains state that the IdP is
bound to the Portable Identifier, or needs to do discover again.
=> The only reason for the RP to send the openid.identity to the IdP
is for backward compatibility with OpenID 1.x, similarly the only
reason for the IdP to send openid.identity to the RP is for OpenID
1.x compatibility. There are no caching advantages.
Cached Discovery Attack:
A malicious user takes over my blog, opens an account at the same IdP
I use, inserts her IdP-Specific Identifier into my blog, and then
uses my blog URL. The IdP will see the blog URL and the IdP-Specific
Identifier don't match, do discovery on the blog URL, and then map my
blog URL (Portable Identifier) to her IdP-Specific Identifier.
I discover that my blog URL has been hacked, and restore my IdP-
Specific Identifier.
The malicious user goes to an RP, that providing her blog URL that
contains her IdP-Specific Identifier. She captures the message from
the RP, and changes the Portable Identifier to be my blog URL. The
IdP still thinks the Portable Identifier is mapped to her IdP-
Specific Identifier, and allows her to login to the RP as me.
Solutions:
1) The IdP does discovery on the blog URL each time it is used.
2) The IdP has complex logic to ...
More information about the specs
mailing list