OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Checking of InResponseTo attribute

See sections 6.1.3 and 6.1.4 of the Security and Privacy
Considerations document:

http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf

Tom

On Thu, Nov 20, 2008 at 10:19 AM, Petrov, Stefan <stefan.petrov@sap.com> wrote:
>
> Hi all,
>
> I have some questions regarding the checking of "InResponseTo" attribute.
> As the SAML2 specification documents clearly define that "InResponseTo" must
> be check if it corresponds to the request's "ID", it does not say why this
> is obligatory.
>
> What kind of attacks could this checking prevent?
> I see that it could be used to save time consuming signature checking in
> eventual DoS attacks. Is there some other attack scenarios, where it could
> be helpful?
>
> Thanks and Regards,
>
> Stefan

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]