RE: Two Identifiers - no caching advantage

2006-10-22 Thread Recordon, David
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Atkins Sent: Sunday, October 22, 2006 1:34 PM To: specs@openid.net Subject: Re: Two Identifiers - no caching advantage Dick Hardt wrote: > On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote: > >> On 10/21/06, Di

Re: Two Identifiers - no caching advantage

2006-10-22 Thread Martin Atkins
Dick Hardt wrote: > On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote: > >> On 10/21/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >>> 2) the RP does not verify the binding between the portable >>> identifier and the IdP-specific identifier in the response. >>> to the one the attacker controls and

Re: Two Identifiers - no caching advantage

2006-10-22 Thread Dick Hardt
On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote: > On 10/21/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >> 2) the RP does not verify the binding between the portable >> identifier and the IdP-specific identifier in the response. >> to the one the attacker controls and the IdP has mapped > > Th

Re: Two Identifiers - no caching advantage

2006-10-21 Thread Josh Hoyt
On 10/21/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > 2) the RP does not verify the binding between the portable > identifier and the IdP-specific identifier in the response. > to the one the attacker controls and the IdP has mapped This is the part where I think you're wrong. The RP MUST

Re: Two Identifiers - no caching advantage

2006-10-21 Thread Dick Hardt
On 19-Oct-06, at 11:12 AM, Josh Hoyt wrote: > On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >> > Your attack fails. >> >> reread the attack. The portable identifier and the IdP do >> match. > > No the identifiers do not. They do. The attacker goes to the RP and enters my blog URL. The

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Josh Hoyt
On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > If you want that to happen, then you have to spec out that the RP is > verifying the IdP-specific identifier and portable identifier binding > when it receives it. That is not in the current proposal. If that is not in there, then the proposal *

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Dick Hardt
On 19-Oct-06, at 11:18 AM, Josh Hoyt wrote: > On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >> reread the attack. The portable identifier and the IdP do >> match. > > In fact, this makes me think of an attack that *would* succeed if the > IdP-specific identifer was not in the response: >

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Josh Hoyt
On 10/19/06, Josh Hoyt <[EMAIL PROTECTED]> wrote: > when she has control Sorry that I didn't put this all in one message, but: I think it's worthwhile to be aware of what might happen in scenarios where your identifier has been stolen, but it should not have much bearing on which proposal gets ac

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Josh Hoyt
On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > reread the attack. The portable identifier and the IdP do match. In fact, this makes me think of an attack that *would* succeed if the IdP-specific identifer was not in the response: when she has control, she initiates a log-in, but traps the

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Dick Hardt
On 19-Oct-06, at 10:40 AM, Josh Hoyt wrote: > On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >> My head is a little moreclear this morning, so let me clarify. >> >> My key point is that the IdP cannot trust the discovery done by the >> RP since what the request is unsigned and may have been m

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Josh Hoyt
On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > My head is a little moreclear this morning, so let me clarify. > > My key point is that the IdP cannot trust the discovery done by the > RP since what the request is unsigned and may have been modified > between the RP and the IdP. The IdP shoul

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Pete Rowley
Dick Hardt wrote: My key point is that the IdP cannot trust the discovery done by the RP since what the request is unsigned and may have been modified between the RP and the IdP. Yep. Though trusting RPs for _anything_ is a bad idea. Users necessarily need to trust IdP's, the IdP's should

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Josh Hoyt
On 10/19/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > > Your attack fails. > > reread the attack. The portable identifier and the IdP do match. No the identifiers do not. It did at one time, but not at the time that the attack takes place. While she has control of your blog, she has control of yo

Re: Two Identifiers - no caching advantage

2006-10-19 Thread Dick Hardt
My head is a little moreclear this morning, so let me clarify. My key point is that the IdP cannot trust the discovery done by the RP since what the request is unsigned and may have been modified between the RP and the IdP. I was showing a potential attack vector where even though I think I

RE: Two Identifiers - no caching advantage

2006-10-19 Thread Drummond Reed
I don't have time this second to go into more detail, but a quick high-level observation about Dick's Cached Discovery Attack: if your blog (or the target page of any portable OpenID identifier) can be hacked, you've already lost your identity. All the hacker has to do is point the link tag at thei