Two Identifiers - no caching advantage

Josh Hoyt josh at janrain.com
Thu Oct 19 18:18:56 UTC 2006


On 10/19/06, Dick Hardt <dick at sxip.com> wrote:
> <sigh> reread the attack. The portable identifier and the IdP do match.

In fact, this makes me think of an attack that *would* succeed if the
IdP-specific identifer was not in the response:

when she has control, she initiates a log-in, but traps the response
(it's valid, but never gets submitted to the relying party).

After you regain control, she has a valid response for your identifier
and you have no way to invalidate it. If the IdP-specific identifier
was in the response, changing that would invalidate the response.

Josh



More information about the specs mailing list