I do not yet understand what prevent me to steal these 'certificate of ownership of the email' by creating a web site with my own version of 'include.js'. In this malicious version, the "Assertion Generation" also send the private key to the server. After that, the server can uses the user login as he wants. It seems there is a timeout, but it allow the malicious server to log so long the time out is not ellapsed.
Where I'am wrong?
I do not yet understand what prevent me to steal these 'certificate of ownership of the email' by creating a web site with my own version of 'include.js'. In this malicious version, the "Assertion Generation" also send the private key to the server. After that, the server can uses the user login as he wants. It seems there is a timeout, but it allow the malicious server to log so long the time out is not ellapsed. Where I'am wrong?