On 19-Oct-06, at 11:18 AM, Josh Hoyt wrote: > On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >> <sigh> reread the attack. The portable identifier and the IdP do >> match. > > In fact, this makes me think of an attack that *would* succeed if the > IdP-specific identifer was not in the response: > > when she has control, she initiates a log-in, but traps the response > (it's valid, but never gets submitted to the relying party).
The trapped response would only be valid for a short period of time since the RP checks that the response is not stale by looking at the nonce, otherwise this attack could be used in many other places. > > After you regain control, she has a valid response for your identifier > and you have no way to invalidate it. If the IdP-specific identifier > was in the response, changing that would invalidate the response. If you want that to happen, then you have to spec out that the RP is verifying the IdP-specific identifier and portable identifier binding when it receives it. That is not in the current proposal. -- Dick _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
