Proposal (Was: When are and aren't two URLs the same?)

Jonathan Daugherty cygnus at janrain.com
Mon Apr 24 18:02:11 UTC 2006


# # In the extreme case, this opens up a huge security hole. If the RP
# # defines URL1 and URL2 to be equivalent, but the IDP does not, then
# # the user owning URL2 can very easily impersonate user with URL1 at
# # the RP -- because RP does not distinguish the two!
# 
# But in this case, there won't be a user with URL1 and a user with
# URL2; if they're equivalent, only one user will have both (technically
# the user will have one or the other, but be able to use either).

On a second read, I'm pretty sure I got this wrong.  If an RP "defines
URL1 and URL2 to be equivalent", I guess you mean that the RP will
actively *transform* one into the other during a canonicalization
process.  If this is true, it doesn't really matter in the case where
the IDP *doesn't* consider them equivalent, because authentication
will strangely fail when the owner of one URL is asked to authenticate
as the owner of the other.  Have I got that right?

-- 
  Jonathan Daugherty
  JanRain, Inc.


More information about the yadis mailing list