[security] [PROPOSAL] Giving Signatures/Assertions Context
Dick Hardt
dick at sxip.com
Wed Nov 8 00:15:02 UTC 2006
On 7-Nov-06, at 3:42 PM, Recordon, David wrote:
> So I know I said no more proposals like a month ago, but this one
> helps
> from a security perspective around the signature on the response.
>
> Currently the response must have "return_to", "response_nonce" and
> then
> "disco_id" and "identity" if they are present. I'm proposing that we
> add to this requirement the following fields:
> - assoc_handle
> - URI identifier for the IdPs server endpoint
++1
I would not consider this a proposal, this is a bug fix!
>
> This helps to:
> - Make the signature clearly reflect the request
> - Gives the assertion/signature context on its own
> - Reduces the potential for replaying responses in differing
> contexts,
> though the nonce takes care of this already
>
> The main benefit is really helping to make the context of the response
> more clear so that a response on its own clearly shows the IdP it is
> from, the association handle, along with where the user is being sent,
> the nonce, and the identifier.
>
> The one potential point for objection we see is that there are times
> when a signer may wish to remain anonymous, but rather leave it to the
> recipient to know who they are. I don't see this as a concern within
> OpenID as it stands today, though wanted to mention it for
> completeness.
side note: Would you explain how the signer can be anonymous? The OP
URL in the message must match what is found during discovery.
More information about the security
mailing list