RP attack vector - why two identifiers are redundant
Dick Hardt
dick at sxip.com
Sun Oct 15 02:48:46 UTC 2006
On 14-Oct-06, at 7:36 PM, Recordon, David wrote:
> Dick,
> While it is true that the IdP should still check that they are bound,
> except in the case when it is directly authoritative for both, the RP
> should provide the IdP with what the user entered as a hint to what
> claim the End User is wishing to make. Just sending the non-portable
> identifier, as is done today, means that "smart" IdPs will have to
> prompt the user again for what they just typed into the RP.
I think the RP should ALWAYS send a normalized version of what the
user typed in.
There is no need to send what got resolved, as both the IdP and the
RP will need to resolve it.
(I am almost caught up on list email, and will write up yet-another-
identifier-email. :-)
>
> While the protocol certainly can work without both, I believe it is a
> cleaner conceptual model to have the RP pass both to the IdP and then
> the IdP verify as needed. If we run into the problem of an End
> User not
> wanting the IdP to know the portable identifier, then I think that
> is a
> great thing as it means we've wrapped up Auth 2.0 and a lot of people
> are using it in many different ways! :)
I thought we already had determined that the IdP will know the
portable identifier?
-- Dick
More information about the specs
mailing list