Proposal (Was: When are and aren't two URLs the same?)
Jonathan Daugherty
cygnus at janrain.com
Mon Apr 24 18:02:11 UTC 2006
# # In the extreme case, this opens up a huge security hole. If the RP
# # defines URL1 and URL2 to be equivalent, but the IDP does not, then
# # the user owning URL2 can very easily impersonate user with URL1 at
# # the RP -- because RP does not distinguish the two!
#
# But in this case, there won't be a user with URL1 and a user with
# URL2; if they're equivalent, only one user will have both (technically
# the user will have one or the other, but be able to use either).
On a second read, I'm pretty sure I got this wrong. If an RP "defines
URL1 and URL2 to be equivalent", I guess you mean that the RP will
actively *transform* one into the other during a canonicalization
process. If this is true, it doesn't really matter in the case where
the IDP *doesn't* consider them equivalent, because authentication
will strangely fail when the owner of one URL is asked to authenticate
as the owner of the other. Have I got that right?
--
Jonathan Daugherty
JanRain, Inc.
More information about the yadis
mailing list