Two Identifiers - no caching advantage
Dick Hardt
dick at sxip.com
Fri Oct 20 00:14:06 UTC 2006
On 19-Oct-06, at 11:18 AM, Josh Hoyt wrote:
> On 10/19/06, Dick Hardt <dick at sxip.com> wrote:
>> <sigh> reread the attack. The portable identifier and the IdP do
>> match.
>
> In fact, this makes me think of an attack that *would* succeed if the
> IdP-specific identifer was not in the response:
>
> when she has control, she initiates a log-in, but traps the response
> (it's valid, but never gets submitted to the relying party).
The trapped response would only be valid for a short period of time
since the RP checks that the response is not stale by looking at the
nonce, otherwise this attack could be used in many other places.
>
> After you regain control, she has a valid response for your identifier
> and you have no way to invalidate it. If the IdP-specific identifier
> was in the response, changing that would invalidate the response.
If you want that to happen, then you have to spec out that the RP is
verifying the IdP-specific identifier and portable identifier binding
when it receives it. That is not in the current proposal.
-- Dick
More information about the specs
mailing list