[Openid-specs-ab] well-known location for sector_identifier_uri

John Bradley ve7jtb at ve7jtb.com
Tue Mar 15 22:50:07 UTC 2016


Yes the spec recommends using the host portion only for calculating the PPID.   If that is a concern for the AS it could always use the path as well. 

Making the file a .well-known is not a bad idea.  Unfortunately it didn’t come up at the time.  In fact getting anyone to have any interest in pairwise identifiers was a challenge at times. 

Perhaps that is something we could consider for a future update.  We could simply say the sector identifier needs to be in .well-known but still use the host name.
That would stop random customer content from being used to insert a bogus sector identifier.

I think the reason that we didn’t use the full path was to allow the client some flexibility in moving the file.

John B.

> On Mar 15, 2016, at 1:20 PM, Thomas Broyer <t.broyer at gmail.com> wrote:
> 
> 
> 
> On Tue, Mar 15, 2016 at 3:37 PM John Bradley <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>> wrote:
> They would all need to provide the same sector_identifier_uri during registration.
> 
> This is not what's written.
> 
> What's written is that they would need to provide the same Sector Identifier, which is the host part of the sector_identifier_uri. So different sector_identifier_uri can share the same Sector Identifier, and as a result an attacker could use a vulnerability (or possibly even a "feature" –user-contributed content) on the victim server to serve its own JSON file containing its own redirect_uris, then sharing the same Sector Identifier, thus now receiving the same pairwise sub identifiers as the victim.
> Using a .well-known would mean that only one such JSON file can exist for a particular Sector Identifier, therefore making the Sector Identifier and sector_identifier_uri relationship a 1:1 rather than 1:n.
>  
> The file at the sector identifier would need to contain both redirect URI.
> 
> This is under the control of the RP to show that the sites are related.   You don’t want any site to be able to use your sector identifier to do correlation.
> 
> The AS could have some administrative rule that sites are related and override the logic but that is likely not to be manageable over time.
> 
> John B.
> 
> 
> > On Mar 14, 2016, at 1:30 PM, Mike Schwartz <mike at gluu.org <mailto:mike at gluu.org>> wrote:
> >
> > James,
> >
> > In the Gluu Server we just implemented interfaces to make it easier for domain admins to publish sector_identifier_uri's. How could a single sector_identifier_uri work if you have multiple partners which you want to issue distinct pairwise identifiers?
> >
> > - Mike
> >
> >
> > -------------------------------------
> > Michael Schwartz
> > Gluu
> > Founder / CEO
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160315/8218b323/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160315/8218b323/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list