Yet Another Delegation Thread
Martin Atkins
mart at degeneration.co.uk
Wed Oct 25 19:23:12 UTC 2006
Dick Hardt wrote:
> On 25-Oct-06, at 10:36 AM, Josh Hoyt wrote:
>
>> On 10/25/06, Dick Hardt <dick at sxip.com> wrote:
>>>> 2) Since the RP has to do discovery on the Claimed Identifier
>>>> anyway, if it
>>>> discovers a mapping between the Claimed Identifier and an IdP-
>>> Specific
>>>> Identifier, the RP can send the IdP-Specific Identifier to the IdP
>>>> and save
>>>> the IdP from having to repeat discovery.
>>> unfortunately that disco information could be modified in route, so
>>> the IdP can't trust it
>> I have said this several times already, but THE IDP DOES NOT HAVE TO
>> TRUST THIS INFORMATION.
>
> Then why send it?
That's what I've been asking all along! :)
What exactly do we imagine the IdP doing with the claimed_identifier?
The main answer I've seen anyone post so far is that the IdP will use it
to greet the user, but:
* If it's only used for display, the IdP doesn't really need to check
it since the user or RP is only fooling itself.
* I would expect my IdP to greet me as "Martin", since I've
registered with them and so they presumably know my name. Even if they
don't have a record of my name, there's no point in parroting back to me
whatever I just typed into the login form! [1]
[1] 10 INPUT "What is your name?"; N$
20 PRINT "Hello, "; N$; "!"
More information about the specs
mailing list