Two Identifiers - no caching advantage
Josh Hoyt
josh at janrain.com
Thu Oct 19 18:12:32 UTC 2006
On 10/19/06, Dick Hardt <dick at sxip.com> wrote:
> > Your attack fails.
>
> <sigh> reread the attack. The portable identifier and the IdP do match.
No the identifiers do not.
It did at one time, but not at the time that the attack takes place.
While she has control of your blog, she has control of your
identifier. If you regain control (change it back), the RP will no
longer let her log in, regardless of whether she can get an assertion
from the RP.
The relying party needs to verify the discovered information when it
gets a response.
Your attack fails.
Josh
More information about the specs
mailing list