[security] Phishing issues with return_to url and realm
Allen Tom
atom at yahoo-inc.com
Tue Feb 6 08:10:10 UTC 2007
Dick Hardt wrote:
>
> Would be nice if the OP checking the RP could be cached so that it
> does not have to happen for each request.
>
Hi Dick,
OPs should definitely cache verification status of the RP's return_to
url so that verification happens once, or at least not until the
association expires.
The Association Process also seems a bit asymetrical, as the OP is
giving out a shared secret and a handle, but it doesn't know who it's
giving it to. An OP may want to know more about the RP, like for
instance its realm and return_to url, before serving the request. The
OP can then complete the association process by verifying the RP's
return_to url after issuing the handle. I'm not sure how the realm could
be verified though.
Allen
More information about the security
mailing list