Consolidated Delegate Proposal

Josh Hoyt josh at janrain.com
Tue Oct 10 21:32:33 UTC 2006


On 10/10/06, Dick Hardt <dick at sxip.com> wrote:
> The IdP cannot trust the RP's discovery. The IdP will have to make
> sure that the IdP is authoritative for the identifier regardless.

The IdP doesn't have to trust the relying party's discovery. The IdP
*can* make sure that it is authoritative for the rp_user_id, but if it
isn't, the login will fail anyway. Only a malicious or broken RP will
make a request with an identifier that does not point to that IdP. A
malicious or broken RP does not need a meaningless assertion in order
to pretend to have authenticated a user.

The relying party is required to validate the assertion by doing
discovery anyway, and there is no case for sending an identifier that
does *not* delegate to that IdP, so why make the IdP do discovery
again?

Josh



More information about the specs mailing list