[security] HTTP and HTTPS URL issue (was RE: security)
Dan Lyke
danlyke at flutterby.com
Fri Oct 27 20:43:34 UTC 2006
On Fri, 27 Oct 2006 12:40:14 -0700, Josh Hoyt wrote:
> On 10/27/06, Dan Lyke <danlyke at flutterby.com> wrote:
>> Yes, but that's up to the Relying Party, so if the Relying Party
>> doesn't do their homework it's their own damned fault.
>
> Um, can you explain why it's harmful?
I over spoke... err... typed.
I assume they're in there in conjunction with the nonce to protect
replay attacks which would let a MitM between the RP and the IdP
falsely authenticate a URL, right? And (depending on how long the IdP
chooses to maintain them, when I read the spec I was thinking that the
association would generally be good for weeks) to authenticate the IdP
against DNS spoofing?
Of course HTTPS for that connection makes them redundant. And in my
RP, I'd probably ignore them.
Dan
More information about the security
mailing list