[Openid-specs-ab] well-known location for sector_identifier_uri

Thomas Broyer t.broyer at gmail.com
Tue Mar 15 16:20:06 UTC 2016


On Tue, Mar 15, 2016 at 3:37 PM John Bradley <ve7jtb at ve7jtb.com> wrote:

> They would all need to provide the same sector_identifier_uri during
> registration.
>

This is not what's written.

What's written is that they would need to provide the same Sector
Identifier, which is the host part of the sector_identifier_uri. So
different sector_identifier_uri can share the same Sector Identifier, and
as a result an attacker could use a vulnerability (or possibly even a
"feature" –user-contributed content) on the victim server to serve its own
JSON file containing its own redirect_uris, then sharing the same Sector
Identifier, thus now receiving the same pairwise sub identifiers as the
victim.
Using a .well-known would mean that only one such JSON file can exist for a
particular Sector Identifier, therefore making the Sector Identifier and
sector_identifier_uri relationship a 1:1 rather than 1:n.


> The file at the sector identifier would need to contain both redirect URI.
>
> This is under the control of the RP to show that the sites are related.
>  You don’t want any site to be able to use your sector identifier to do
> correlation.
>
> The AS could have some administrative rule that sites are related and
> override the logic but that is likely not to be manageable over time.
>
> John B.
>
>
> > On Mar 14, 2016, at 1:30 PM, Mike Schwartz <mike at gluu.org> wrote:
> >
> > James,
> >
> > In the Gluu Server we just implemented interfaces to make it easier for
> domain admins to publish sector_identifier_uri's. How could a single
> sector_identifier_uri work if you have multiple partners which you want to
> issue distinct pairwise identifiers?
> >
> > - Mike
> >
> >
> > -------------------------------------
> > Michael Schwartz
> > Gluu
> > Founder / CEO
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160315/6d3b8b6f/attachment.html>


More information about the Openid-specs-ab mailing list