[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] RE: [security-services] SubjectLocality errata?
>Specifically, what "current practice" appears to require it? This sounds >pretty ambiguous and if so, should be cleared up in the spec. The current practice is the enforcement of IP checking when doing SSO between web servers, as a way to increase an attacker's burden. >SubjectLocality is defined as the name/address FOR the system entity THAT >WAS authenticated. If the system entity is a computer system, then I can >understand why the info might be useful, although I'm not sure how "current >practice" applies. In the context of the browser profiles, it's presumably the IP address the browser used when it authenticated. >But for authenticated users, it doesn't make much sense since users don't >typically have IP/DNS addresses. It isn't supposed to identify WHERE the >system entity WAS authenticated. Or is this how others interpreted its >use? No, but in a web context, the browser (the USER agent) is considered to be standing in for the user. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC