Two Identifiers - no caching advantage

Dick Hardt dick at sxip.com
Thu Oct 19 17:57:12 UTC 2006


On 19-Oct-06, at 10:40 AM, Josh Hoyt wrote:

> On 10/19/06, Dick Hardt <dick at sxip.com> wrote:
>> My head is a little moreclear this morning, so let me clarify.
>>
>> My key point is that the IdP cannot trust the discovery done by the
>> RP since what the request is unsigned and may have been modified
>> between the RP and the IdP.
>
> The IdP shouldn't trust the message from RP. It doesn't need to trust
> the message from the RP. Trusting the message from the RP would be a
> mistake, because the relying party is not the authority for the
> information provided. Signing the request has no effect on this issue.
>
> The IdP does not need to trust the portable identifier given. An RP
> will not honor a claim about an identifier whose discovery information
> does not match, since it *must* check to make sure it matches *in any
> case*. Even if bad information was sent in the request *and the IdP
> did not verify it*, the relying party will reject the (bogus)
> assertion from the IdP because it does not match the discovered
> information for the portable identifier.
>
> Your attack fails.

<sigh> reread the attack. The portable identifier and the IdP do match.

>
>> I was showing a potential attack vector where even though I think I
>> have resolved the issue, it is not resolved.
>
> I can't figure out what this means. Who has resolved which issue?  
> and how?

Sorry. I was referring to the attack. I have discovered that someone  
has hacked my blog (not an uncommon thing for some people) and have  
fixed it. The IdP has a stale map between the portable identifier and  
the malicious user's IdP-specific identifier, so even though I have  
recovered control of my blog, the malicious user can still pretend to  
be my portable identifier. 



More information about the specs mailing list