[Openid-specs-ab] Issue #1208: SIOP V2 dynamic iss claim ref: REQUIRED. Issuer. MUST be https://self-issued.me/v2 (openid/connect)
David Waite
david at alkaline-solutions.com
Tue Feb 23 23:06:54 UTC 2021
> On Feb 23, 2021, at 6:02 AM, Kristina Yasuda via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> How would the RP check that it is a true "PWA / cloud wallet provider" and not a malicious provider pretending to be a good one?
The RP today does not have a way to verify an OP today isn’t a malicious one - the user is expected to select the OP that represents them and to choose a non-malicious OP.
Are you thinking of a particular attack scenario involving something like Phishing or Man-in-the-Middle?
-DW
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210223/fa41d3b4/attachment.html>
More information about the Openid-specs-ab
mailing list