RP attack vector - why two identifiers are redundant

Recordon, David drecordon at verisign.com
Sun Oct 15 02:36:44 UTC 2006 

Dick,
While it is true that the IdP should still check that they are bound,
except in the case when it is directly authoritative for both, the RP
should provide the IdP with what the user entered as a hint to what
claim the End User is wishing to make.  Just sending the non-portable
identifier, as is done today, means that "smart" IdPs will have to
prompt the user again for what they just typed into the RP.

While the protocol certainly can work without both, I believe it is a
cleaner conceptual model to have the RP pass both to the IdP and then
the IdP verify as needed.  If we run into the problem of an End User not
wanting the IdP to know the portable identifier, then I think that is a
great thing as it means we've wrapped up Auth 2.0 and a lot of people
are using it in many different ways! :)

--David

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Dick Hardt
Sent: Saturday, October 14, 2006 7:12 PM
To: Drummond Reed
Cc: specs at openid.net
Subject: RP attack vector - why two identifiers are redundant 

	
On 13-Oct-06, at 7:45 PM, Drummond Reed wrote:

>> And despite all the "but it can't be stateless without two!"  
>> noise, it
>> actually can:  you put the portable identifier in the return_to URL 
>> and
>> verify it again when you get the signature back from the IdP.   
>> That is,
>> verify the mapping from portable -> IdP-specific still holds.   
>> Because you
>> can't just trust the 1 (or 2) values you get back from the IdP, 
>> otherwise the IdP (which could be malicious) could be fucking with 
>> you, asserting a portable identifier which it's not actually 
>> permitted to do, according to the portable identifer's 
>> YADIS/<head>/etc.
>
> Good point. I've never figured an attack vector for the RP to send the

> wrong identifiers to the IdP, since the RP is just "fooling itself". 
> But I agree there can be one for a malicious IdP to return the wrong 
> ones to an RP.

The attack vector is not that the RP sends the wrong identifiers, it is
that a malicious user in between modifies the request that is sent to
the IdP.

Since the request is not signed and flows through the user, the IdP does
not know the request message has not been modified. If the IdP assumes
the two identifiers are bound, then a malicious user can pretend to be a
different user from the same IdP to the RP. This presumes the IdP is
using an IdP identifier and the RP is using an RP identifier and the
binding is assumed by sending both.

Therefore, the IdP MUST make sure the two identifiers are linked, so
sending both is redundant for the IdP.

As noted in other messages, the RP cannot trust the IdP binding, and
needs to verify the binding themselves, so the sending the two
parameters is redundant in the response as well.


_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

More information about the specs mailing list