Two Identifiers - no caching advantage
Josh Hoyt
josh at janrain.com
Thu Oct 19 18:18:56 UTC 2006
On 10/19/06, Dick Hardt <dick at sxip.com> wrote:
> <sigh> reread the attack. The portable identifier and the IdP do match.
In fact, this makes me think of an attack that *would* succeed if the
IdP-specific identifer was not in the response:
when she has control, she initiates a log-in, but traps the response
(it's valid, but never gets submitted to the relying party).
After you regain control, she has a valid response for your identifier
and you have no way to invalidate it. If the IdP-specific identifier
was in the response, changing that would invalidate the response.
Josh
More information about the specs
mailing list