Two Identifiers - no caching advantage

Josh Hoyt josh at janrain.com
Thu Oct 19 18:12:32 UTC 2006


On 10/19/06, Dick Hardt <dick at sxip.com> wrote:
> > Your attack fails.
>
> <sigh> reread the attack. The portable identifier and the IdP do match.

No the identifiers do not.

It did at one time, but not at the time that the attack takes place.
While she has control of your blog, she has control of your
identifier. If you regain control (change it back), the RP will no
longer let her log in, regardless of whether she can get an assertion
from the RP.

The relying party needs to verify the discovered information when it
gets a response.

Your attack fails.

Josh



More information about the specs mailing list