Two Identifiers - no caching advantage
Josh Hoyt
josh at janrain.com
Sun Oct 22 05:52:10 UTC 2006
On 10/21/06, Dick Hardt <dick at sxip.com> wrote:
> 2) the RP does not verify the binding between the portable
> identifier and the IdP-specific identifier in the response.
> to the one the attacker controls and the IdP has mapped
This is the part where I think you're wrong. The RP MUST verify that
binding, whether it is by keeping state, self-signing the request
(which gets passed through to the response) or doing discovery again.
Josh
More information about the specs
mailing list