Two Identifiers - no caching advantage

[Josh Hoyt]

On 10/21/06, Dick Hardt <dick at sxip.com> wrote:
>         2) the RP does not verify the binding between the portable
> identifier and the IdP-specific identifier in the response.
>   to the one the attacker controls and the IdP has mapped

This is the part where I think you're wrong. The RP MUST verify that
binding, whether it is by keeping state, self-signing the request
(which gets passed through to the response) or doing discovery again.

Josh