[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] phishing the DS protocol
> The Identity Provider Discovery Service Protocol and Profile talks > about the dangers of phishing attacks and how metadata can mitigate > this threat. However, it stops short of specifying that the DS MUST > ensure by some means (metadata or otherwise) that the location > specified in the return parameter is in fact associated with the > requester given by the entityID parameter. Am I missing something? Not that I can see. Making it a MUST doesn't give anybody involved any guarantee that it's being prevented, so it's not a MUST, just up to the implementer/deployer. Could have been a "MUST implement", didn't really think about it. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]