From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Martin Atkins
Sent: Sunday, October 22, 2006 1:34 PM
To: specs@openid.net
Subject: Re: Two Identifiers - no caching advantage
Dick Hardt wrote:
> On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote:
>
>> On 10/21/06, Di
Dick Hardt wrote:
> On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote:
>
>> On 10/21/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>>> 2) the RP does not verify the binding between the portable
>>> identifier and the IdP-specific identifier in the response.
>>> to the one the attacker controls and
On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote:
> On 10/21/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> 2) the RP does not verify the binding between the portable
>> identifier and the IdP-specific identifier in the response.
>> to the one the attacker controls and the IdP has mapped
>
> Th
On 10/21/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> 2) the RP does not verify the binding between the portable
> identifier and the IdP-specific identifier in the response.
> to the one the attacker controls and the IdP has mapped
This is the part where I think you're wrong. The RP MUST
On 19-Oct-06, at 11:12 AM, Josh Hoyt wrote:
> On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> > Your attack fails.
>>
>> reread the attack. The portable identifier and the IdP do
>> match.
>
> No the identifiers do not.
They do. The attacker goes to the RP and enters my blog URL. The
On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> If you want that to happen, then you have to spec out that the RP is
> verifying the IdP-specific identifier and portable identifier binding
> when it receives it. That is not in the current proposal.
If that is not in there, then the proposal *
On 19-Oct-06, at 11:18 AM, Josh Hoyt wrote:
> On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> reread the attack. The portable identifier and the IdP do
>> match.
>
> In fact, this makes me think of an attack that *would* succeed if the
> IdP-specific identifer was not in the response:
>
On 10/19/06, Josh Hoyt <[EMAIL PROTECTED]> wrote:
> when she has control
Sorry that I didn't put this all in one message, but:
I think it's worthwhile to be aware of what might happen in scenarios
where your identifier has been stolen, but it should not have much
bearing on which proposal gets ac
On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> reread the attack. The portable identifier and the IdP do match.
In fact, this makes me think of an attack that *would* succeed if the
IdP-specific identifer was not in the response:
when she has control, she initiates a log-in, but traps the
On 19-Oct-06, at 10:40 AM, Josh Hoyt wrote:
> On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> My head is a little moreclear this morning, so let me clarify.
>>
>> My key point is that the IdP cannot trust the discovery done by the
>> RP since what the request is unsigned and may have been m
On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> My head is a little moreclear this morning, so let me clarify.
>
> My key point is that the IdP cannot trust the discovery done by the
> RP since what the request is unsigned and may have been modified
> between the RP and the IdP.
The IdP shoul
Dick Hardt wrote:
My key point is that the IdP cannot trust the discovery done by the
RP since what the request is unsigned and may have been modified
between the RP and the IdP.
Yep. Though trusting RPs for _anything_ is a bad idea. Users necessarily
need to trust IdP's, the IdP's should
On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> > Your attack fails.
>
> reread the attack. The portable identifier and the IdP do match.
No the identifiers do not.
It did at one time, but not at the time that the attack takes place.
While she has control of your blog, she has control of yo
PROTECTED] On
> Behalf
> Of Dick Hardt
> Sent: Thursday, October 19, 2006 12:13 AM
> To: specs@openid.net
> Subject: Two Identifiers - no caching advantage
>
> After reading though:
>
> http://www.lifewiki.net/openid/ConsolidatedDelegationProposal
>
> I ha
rtable OpenID identifiers ;-)
=Drummond
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Dick Hardt
Sent: Thursday, October 19, 2006 12:13 AM
To: specs@openid.net
Subject: Two Identifiers - no caching advantage
After reading though:
http:
After reading though:
http://www.lifewiki.net/openid/ConsolidatedDelegationProposal
I have concluded there is no caching advantage
Specifically if you look at these two sections:
RP Rules for Identifier Parameters
Case 3: URL WITH IdP-Specific Identifier
If Portable Identifier is a
16 matches
Mail list logo