On 10/21/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > 2) the RP does not verify the binding between the portable > identifier and the IdP-specific identifier in the response. > to the one the attacker controls and the IdP has mapped
This is the part where I think you're wrong. The RP MUST verify that binding, whether it is by keeping state, self-signing the request (which gets passed through to the response) or doing discovery again. Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs