RP attack vector - why two identifiers are redundant
Josh Hoyt
josh at janrain.com
Sun Oct 15 04:17:41 UTC 2006
On 10/14/06, Dick Hardt <dick at sxip.com> wrote:
> Since the request is not signed and flows through the user, the IdP
> does not know the request message has not been modified. If the IdP
> assumes the two identifiers are bound, then a malicious user can
> pretend to be a different user from the same IdP to the RP. This
> presumes the IdP is using an IdP identifier and the RP is using an RP
> identifier and the binding is assumed by sending both.
>
> Therefore, the IdP MUST make sure the two identifiers are linked, so
> sending both is redundant for the IdP.
The relying party knows both identifiers from doing discovery, and it
must check to make sure they match what is in the assertion. Since the
relying party MUST make sure it matches, the IdP doesn't have to. I
would say that the IdP SHOULD check to make sure it's valid, but it's
not strictly required.
Josh
More information about the specs
mailing list