Yet Another Delegation Thread

Martin Atkins mart at degeneration.co.uk
Wed Oct 25 19:40:06 UTC 2006


Dick Hardt wrote:
> The RP can't trust state that it has sent to the IdP since the  
> message may have been modified in transit between the RP and the IdP.
> 
> Perhaps someone can explain what state needs to be maintained? And if  
> the RP wants to put state in the message, I thought we had that as  
> data in the return_to? The RP likely needs to sign that in some  
> manner to know that it was not modified as well.
> 

The current stateless RP implementations just repeat discovery when they 
get back the signature. There is therefore a slim chance that the 
request had been modified to change the claimed_identity to another 
identifier owned by the same user and delegated to the same IdP 
identifier at the same IdP. However, aside from this rather odd attack 
the second discovery is sufficient to avoid the need for RP state or 
signatures.





More information about the specs mailing list