On Tue, Dec 9, 2008 at 8:35 PM, Dirk Balfanz <
balfanz@google.com> wrote:
- Both in the PKI and in the out-of-band versions the basic verification
step seems to go like this: you already have a canonical_id, and you do the
following: (1) check that the canonical_id in the XRD document is the same
as the canonical_id you're already holding, (2) verify the signature on the
document, (3) verify that the key used to sign the document matches the
canonical_id in the document. Why bother with the canonical_id in the
document in the first place? Why not just (1) verify the signature, and (2)
verify that the key used to sign the document matches the canonical_id
you're already holding?
The canonical id in the document is important because it prevents
someone from replaying a document in a different context. For
example, imagine two users with two different XRDs:
http://www.example.com/good has a signon URL of
http://some-trusted-idp
http://www.example.com/evil has a signon URL of
http://some-evil-idp
Both XRDs are signed by
www.example.com (which is what you'd expect
since they are authoritative for
www.example.com URLs...).
Now imagine that some RP is looking for the XRD for
http://www.example.com/good, but an attacker substitutes the XRD for
http://www.example.com/evil.
Without a canonical ID in the XRD, there's no way for the RP to tell.
(If this is coherent/accurate we need to write it down somewhere,
because the attack is kind of subtle.)
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php