Two Identifiers - no caching advantage

Dick Hardt dick at sxip.com
Fri Oct 20 00:14:06 UTC 2006


On 19-Oct-06, at 11:18 AM, Josh Hoyt wrote:

> On 10/19/06, Dick Hardt <dick at sxip.com> wrote:
>> <sigh> reread the attack. The portable identifier and the IdP do  
>> match.
>
> In fact, this makes me think of an attack that *would* succeed if the
> IdP-specific identifer was not in the response:
>
> when she has control, she initiates a log-in, but traps the response
> (it's valid, but never gets submitted to the relying party).

The trapped response would only be valid for a short period of time  
since the RP checks that the response is not stale by looking at the  
nonce, otherwise this attack could be used in many other places.

>
> After you regain control, she has a valid response for your identifier
> and you have no way to invalidate it. If the IdP-specific identifier
> was in the response, changing that would invalidate the response.

If you want that to happen, then you have to spec out that the RP is  
verifying the IdP-specific identifier and portable identifier binding  
when it receives it. That is not in the current proposal.

-- Dick



More information about the specs mailing list