On 10/13/06, Marius Scurtescu <[EMAIL PROTECTED]> wrote: > The IdP is issuing a signed assertion about these identifiers, I > would assume the IdP to check the link between these identifiers.
Sending two identifiers does not *prevent* the IdP from checking to make sure they match. > What if a bad RP sends an auth request with a mismatched set and then > re-posts the response to some other RP? I am sure someone will figure > a way to exploit this. It is, and must be, the relying party's responsibility to ensure that the information in the response matches what is discovered. This is true regardless when portable identifiers are used and when they are not. It is true for all of the proposed delegation mechanisms. It is really one of the fundamental elements of OpenID. A response from an IdP is meaningless until it is compared with the discovered information for the identifier in question. Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
