Replay attacks vs man in the middle

[Sam Ruby]

Martin Atkins wrote:
> Sam Ruby wrote:
> 
>> In fact, the easiest thing I could do is to let the system go through 
>> the motions.  I initiate a post to your website saying that I am Fred. 
>> Fred's server serves up a page which asks me to authenticate.  I, of 
>> course, fail, but instead of the IFrame passing back up this little 
>> bit of information, I pass up a different response instead.  Remember, 
>> I have Greasemonkey.  This browser does what *I* want it to do.
>>
>>  From your perspective, you served up a comment form.  You initiated a 
>> redirect to Fred's machine.  You get back a response that says "Fred 
>> says it was OK".  What's not to like?
> 
> That's right. It'll all work fine until you submit it to the consumer 
> site, at which point it'll try to validate your token but the ID server 
> key won't match.
> 
> All you've done is conned your client. The server knows better.

That would be cool, but I miss the part in the specs where it says this.

But, assuming that were so, then I would assert that this is the part 
that is necessary and sufficient.  The redirection is not the crucial 
part, this is.

Now, given that I can install software on my client, all I need to be 
able to do is generate a token that matches my ID server.  This means 
that I can avoid all the round trips.

- Sam Ruby