Yet Another Delegation Thread
Martin Atkins
mart at degeneration.co.uk
Wed Oct 25 19:40:06 UTC 2006
Dick Hardt wrote:
> The RP can't trust state that it has sent to the IdP since the
> message may have been modified in transit between the RP and the IdP.
>
> Perhaps someone can explain what state needs to be maintained? And if
> the RP wants to put state in the message, I thought we had that as
> data in the return_to? The RP likely needs to sign that in some
> manner to know that it was not modified as well.
>
The current stateless RP implementations just repeat discovery when they
get back the signature. There is therefore a slim chance that the
request had been modified to change the claimed_identity to another
identifier owned by the same user and delegated to the same IdP
identifier at the same IdP. However, aside from this rather odd attack
the second discovery is sufficient to avoid the need for RP state or
signatures.
More information about the specs
mailing list