[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Checking of InResponseTo attribute
See sections 6.1.3 and 6.1.4 of the Security and Privacy Considerations document: http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf Tom On Thu, Nov 20, 2008 at 10:19 AM, Petrov, Stefan <stefan.petrov@sap.com> wrote: > > Hi all, > > I have some questions regarding the checking of "InResponseTo" attribute. > As the SAML2 specification documents clearly define that "InResponseTo" must > be check if it corresponds to the request's "ID", it does not say why this > is obligatory. > > What kind of attacks could this checking prevent? > I see that it could be used to save time consuming signature checking in > eventual DoS attacks. Is there some other attack scenarios, where it could > be helpful? > > Thanks and Regards, > > Stefan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]