OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Checking of InResponseTo attribute

> I have some questions regarding the checking of "InResponseTo" attribute.
> As the SAML2 specification documents clearly define that "InResponseTo"
must
> be check if it corresponds to the request's "ID", it does not say why this
> is obligatory.

And in practice it isn't. If your implementation is stateful, then it might
be necessary.

> What kind of attacks could this checking prevent?

Depends on entirely on what you're willing to assume about the response. It
presumably enables one to trust that the response fulfilled obligations that
were in the request. Personally I don't use it for anything.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]