OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [saml-dev] RE: [security-services] SubjectLocality errata?


>Specifically, what "current practice" appears to require it?  This
sounds
>pretty ambiguous and if so, should be cleared up in the spec.

The current practice is the enforcement of IP checking when doing SSO
between web servers, as a way to increase an attacker's burden.

>SubjectLocality is defined as the name/address FOR the system entity
THAT
>WAS authenticated. If the system entity is a computer system, then I
can
>understand why the info might be useful, although I'm not sure how
"current
>practice" applies.

In the context of the browser profiles, it's presumably the IP address
the browser used when it authenticated.

>But for authenticated users, it doesn't make much sense since users
don't
>typically have IP/DNS addresses.  It isn't supposed to identify WHERE
the
>system entity WAS authenticated.  Or is this how others interpreted its
>use?

No, but in a web context, the browser (the USER agent) is considered to
be standing in for the user.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC