Consolidated Delegate Proposal

Dick Hardt dick at sxip.com
Tue Oct 17 16:07:19 UTC 2006


On 13-Oct-06, at 3:43 PM, Josh Hoyt wrote:

> On 10/13/06, Marius Scurtescu <marius at sxip.com> wrote:
>> The IdP is issuing a signed assertion about these identifiers, I
>> would assume the IdP to check the link between these identifiers.
>
> Sending two identifiers does not *prevent* the IdP from checking to
> make sure they match.
>
>> What if a bad RP sends an auth request with a mismatched set and then
>> re-posts the response to some other RP? I am sure someone will figure
>> a way to exploit this.
>
> It is, and must be, the relying party's responsibility to ensure that
> the information in the response matches what is discovered. This is
> true regardless when portable identifiers are used and when they are
> not. It is true for all of the proposed delegation mechanisms. It is
> really one of the fundamental elements of OpenID.
>
> A response from an IdP is meaningless until it is compared with the
> discovered information for the identifier in question.

If the RP is needing to make sure they match, then what is the point  
in sending both since the RP is figuring them out anyway?



More information about the specs mailing list