On 14-Oct-06, at 9:17 PM, Josh Hoyt wrote: > On 10/14/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >> Since the request is not signed and flows through the user, the IdP >> does not know the request message has not been modified. If the IdP >> assumes the two identifiers are bound, then a malicious user can >> pretend to be a different user from the same IdP to the RP. This >> presumes the IdP is using an IdP identifier and the RP is using an RP >> identifier and the binding is assumed by sending both. >> >> Therefore, the IdP MUST make sure the two identifiers are linked, so >> sending both is redundant for the IdP. > > The relying party knows both identifiers from doing discovery, and it > must check to make sure they match what is in the assertion.
Actually, the RP needs to bind the IdP to the presented_identifier. > Since the > relying party MUST make sure it matches, the IdP doesn't have to. I > would say that the IdP SHOULD check to make sure it's valid, but it's > not strictly required. The IdP needs to bind the user they have authenticated, to the presented_identifier. Per my other email, the display_identifier is just a hint and is not needed. -- Dick _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
