Two Identifiers - no caching advantage
Dick Hardt
dick at sxip.com
Sun Oct 22 15:35:15 UTC 2006
On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote:
> On 10/21/06, Dick Hardt <dick at sxip.com> wrote:
>> 2) the RP does not verify the binding between the portable
>> identifier and the IdP-specific identifier in the response.
>> to the one the attacker controls and the IdP has mapped
>
> This is the part where I think you're wrong. The RP MUST verify that
> binding, whether it is by keeping state, self-signing the request
> (which gets passed through to the response) or doing discovery again.
I agree the RP SHOULD do that. The proposal does not specify that.
I thought we had that conversation. I have not looked at the patch
that you sent. Perhaps you address the issue there.
My point though is: why have the RP bind the IdP-specific identifier
and the public identifier? Why not let the IdP be responsible for this?
In 1.x when the IdP was not aware of the public identifier, then the
RP had to do the binding. Now that the IdP is aware of the public
identifier, it would be simpler and logical for the IdP to be
responsible for the binding. It is doing it anyway.
All the RP wants is which public identifier is the user, and is the
IdP authoritative for it.
-- Dick
More information about the specs
mailing list