[Openid-specs-ab] Issue #1208: SIOP V2 dynamic iss claim ref: REQUIRED. Issuer. MUST be https://self-issued.me/v2 (openid/connect)

Kristina Yasuda Kristina.Yasuda at microsoft.com
Wed Feb 24 02:32:40 UTC 2021 

RP today has a pre-established trust with an OP, so if the user chooses a malicious OP the high chances are RPs would not pre-establish trust with that OP and user would have to switch to a non-malicious OP.

I agree that RP knowing which provider the user is using is a good thing. I am cautioning RP against putting high level of trust in the provider information (which it would if provider information is included in `iss`), because trust with SIOP is established as hoc and is not pre-established (at least in the scenario when SIOP is on the edge device). How can RP detect If malicious provider is pretending to be a trusted provider - G00gle-authenticat0r.com saying it is Google-authenticator?

Today, RP trusts the subject identifier because it has that pre-existing relationship with the issuer/IdP, who manages the identifiers. How can we make the reverse work - where provider used can be trusted because RP successfully established an ad hoc trust with the subject identifier based on cryptographic verification?

Best,
Kristina


________________________________
差出人: David Waite <david at alkaline-solutions.com>
送信日時: 2021年2月24日 8:06
宛先: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
CC: Kristina Yasuda <Kristina.Yasuda at microsoft.com>; Adam Lemmon <issues-reply at bitbucket.org>
件名: Re: [Openid-specs-ab] Issue #1208: SIOP V2 dynamic iss claim ref: REQUIRED. Issuer. MUST be https://self-issued.me/v2 (openid/connect)



On Feb 23, 2021, at 6:02 AM, Kristina Yasuda via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

How would the RP check that it is a true "PWA / cloud wallet provider" and not a malicious provider pretending to be a good one?

The RP today does not have a way to verify an OP today isn’t a malicious one - the user is expected to select the OP that represents them and to choose a non-malicious OP.

Are you thinking of a particular attack scenario involving something like Phishing or Man-in-the-Middle?

-DW
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210224/a5fd4c1c/attachment.html>

More information about the Openid-specs-ab mailing list