<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Tue, Mar 15, 2016 at 3:37 PM John Bradley <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">They would all need to provide the same sector_identifier_uri during registration.<br></blockquote><div><br></div><div>This is not what's written.</div><div><br></div><div>What's written is that they would need to provide the same Sector Identifier, which is the host part of the sector_identifier_uri. So different sector_identifier_uri can share the same Sector Identifier, and as a result an attacker could use a vulnerability (or possibly even a "feature" –user-contributed content) on the victim server to serve its own JSON file containing its own redirect_uris, then sharing the same Sector Identifier, thus now receiving the same pairwise sub identifiers as the victim.</div><div>Using a .well-known would mean that only one such JSON file can exist for a particular Sector Identifier, therefore making the Sector Identifier and sector_identifier_uri relationship a 1:1 rather than 1:n.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The file at the sector identifier would need to contain both redirect URI.<br>
<br>
This is under the control of the RP to show that the sites are related. You don’t want any site to be able to use your sector identifier to do correlation.<br>
<br>
The AS could have some administrative rule that sites are related and override the logic but that is likely not to be manageable over time.<br>
<br>
John B.<br>
<br>
<br>
> On Mar 14, 2016, at 1:30 PM, Mike Schwartz <<a href="mailto:mike@gluu.org" target="_blank">mike@gluu.org</a>> wrote:<br>
><br>
> James,<br>
><br>
> In the Gluu Server we just implemented interfaces to make it easier for domain admins to publish sector_identifier_uri's. How could a single sector_identifier_uri work if you have multiple partners which you want to issue distinct pairwise identifiers?<br>
><br>
> - Mike<br>
><br>
><br>
> -------------------------------------<br>
> Michael Schwartz<br>
> Gluu<br>
> Founder / CEO<br>
><br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div></div>