Eric, > So, let's take the diagram from my recent mail message: > > > User RP IdP > ---- -- --- > Sell me beer -> > <- Prove you're 21 > > IdP, help me! -> > <---------- Auth exchange -------------> > <- Credential > > Credential -> > <- OK > > > The IdP gives the User some credential that he gives the > RP. That's fine for the first request, but what happens when > the user wants to make a second request? You clearly don't > want to go back to the IdP every time. The classic solution > is for the server to give you some cookie: those cookies > can obviously be cut-and-pasted from one message to another. > Even if you make them single-time (evolve them every time) > there's a window between the cookie delivery (in the HTTP > response) and the next HTTP request. > > Another option is to bypass the cookie thing and just make > the Credential reusable, but this has the same problem... > > In order for this replay to be effective the attacker would have had to compromised the privacy of the exchange or one end of the communication. A cookie approach is reasonable where this risk is reasonable, and can be further mitigated through brief durations or one time use depending on need. Do we need more?
Eliot _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
