[VOTE] Portable Identifier Support Proposal (patch)
Dick Hardt
dick at sxip.com
Mon Oct 23 07:36:24 UTC 2006
On 23-Oct-06, at 12:27 AM, Martin Atkins wrote:
> Dick Hardt wrote:
>>
>> Complexity: There is no reason for the RP to be managing the binding
>> between the IdP and the portable identifier. Both the IdP and the RP
>> are verifying this. There is no extra security, and more things to go
>> wrong in an implementation.
>>
>
> You keep stating that both the RP and the IdP are verifying this, but
> under 1.1 at least this is not the case: the RP verifies the
> delegation,
> and the IdP is completely unaware of it. There is no need for the
> IdP to
> verify the delegation, since the RP will only harm itself if it
> fails to
> verify the relationship correctly.
In the proposal, both the IdP and the RP verify. The IdP has to since
the public identifier is now part of the message it is signing.
-- Dick
More information about the specs
mailing list