[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] RE: Réf. : RE: [saml-dev] Question about logout
> About this part : > "If the IdP gets a request with some other value > it should treat that as a failure, even if the IdP could *guess* > which > user they caller is talking about." > > Where is this constraint indicated in the spec ? > > Lines 1299-1301 of the Profiles spec. From a security point of view, > letting someone sit there and guess possible other IDs for the user would > be a substantial security and/or privacy hole. Oops, you're right, I forgot the matching language was in there also. (That's a web profile issue of course, it's not strictly speaking a rule for all possible uses of logout.) -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]