imi message

Subject: RE: [imi] Question regarding encryption

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'John Bradley'" <jbradley@mac.com>
Date: Mon, 7 Dec 2009 09:11:21 -0500

John Bradley wrote on 2009-12-07:
> Yes, I think in practice a non-auditing card may not meet LoA 3.   It
would
> at least be a discussion.

I don't know whether it does or not. My point is that no sane user would use
one for anything important if they understood the risk. You're handing your
identity over to a RP who's then free to impersonate you to other sites
accepting non-auditing tokens for the life of the bearer window. It's not
about getting your token stolen by some obscure network attack, this is just
blatantly unsafe, no different than handing over a reusable "OTP".

-- Scott

References:
- [OASIS Issue Tracker] Created: (IMI-25) ic09:X509Principal andic09:X509SubjectAndIssuer introduced in locations that violate IMI 1.0schema
  - From: OASIS Issues Tracker <workgroup_mailer@lists.oasis-open.org>
- Question regarding encryption
  - From: Mario Ivkovic <mario.ivkovic@a-sit.at>
- Re: [imi] Question regarding encryption
  - From: John Bradley <jbradley@mac.com>
- Re: [imi] Question regarding encryption
  - From: Mario Ivkovic <mario.ivkovic@a-sit.at>
- Re: [imi] Question regarding encryption
  - From: John Bradley <jbradley@mac.com>