[OpenID] TransparencyCamp and OpenID (U)
Eric Norman
ejnorman at doit.wisc.edu
Fri Mar 13 13:52:10 UTC 2009
On Mar 13, 2009, at 8:28 AM, Ben Laurie wrote:
> On Fri, Mar 13, 2009 at 10:42 AM, Paul Madsen <paulmadsen at rogers.com>
> wrote:
>> 1c) Assertions shall be specific to a single transaction, and, if
>> assertion
>> references are used, they shall be freshly generated whenever a new
>> assertion is created by the Verifier. In other words, assertions and
>> assertion references are generated for one time use.
>> 2b) assertions shall be protected against manufacture/modification,
>> capture,
>> redirect and reuse.,
>
> Reuse? Surely the whole point of assertions is that they _can_ be
> reused? e.g. I should be able to prove that everyone who logged in to
> my over 18 site was over 18. How do I do that without reuse?
See 1c above. In NIST-speak, "Verifier" essentially means what others
mean by "Identity Provider". See definition in glossary of 800-63 and
commentary in section 5.4.
Eric Norman
More information about the general
mailing list