[Openid-specs-ab] well-known location for sector_identifier_uri
t.broyer at gmail.com
Tue Mar 15 16:20:06 UTC 2016
On Tue, Mar 15, 2016 at 3:37 PM John Bradley <ve7jtb at ve7jtb.com> wrote:
> They would all need to provide the same sector_identifier_uri during
This is not what's written.
What's written is that they would need to provide the same Sector
Identifier, which is the host part of the sector_identifier_uri. So
different sector_identifier_uri can share the same Sector Identifier, and
as a result an attacker could use a vulnerability (or possibly even a
"feature" –user-contributed content) on the victim server to serve its own
JSON file containing its own redirect_uris, then sharing the same Sector
Identifier, thus now receiving the same pairwise sub identifiers as the
Using a .well-known would mean that only one such JSON file can exist for a
particular Sector Identifier, therefore making the Sector Identifier and
sector_identifier_uri relationship a 1:1 rather than 1:n.
> The file at the sector identifier would need to contain both redirect URI.
> This is under the control of the RP to show that the sites are related.
> You don’t want any site to be able to use your sector identifier to do
> The AS could have some administrative rule that sites are related and
> override the logic but that is likely not to be manageable over time.
> John B.
> > On Mar 14, 2016, at 1:30 PM, Mike Schwartz <mike at gluu.org> wrote:
> > James,
> > In the Gluu Server we just implemented interfaces to make it easier for
> domain admins to publish sector_identifier_uri's. How could a single
> sector_identifier_uri work if you have multiple partners which you want to
> issue distinct pairwise identifiers?
> > - Mike
> > -------------------------------------
> > Michael Schwartz
> > Gluu
> > Founder / CEO
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab