Re: [saml-dev] Same certificate for https and SAML signing

["Cantor, Scott" <cantor.2@osu.edu>]

On 3/10/14, 2:36 PM, "Tom Scavo" <trscavo@gmail.com> wrote:
>
>If you're referring to the SAML spec, it has nothing to say about this
>issue. The companion spec that Peter pointed is one approach but there
>is a small fraction of Federations worldwide (that I know of, anyway)
>that employ a model based on CA-signed certificates in metadata.

As long as it's exactly one, controlled, CA, that's relatively safe.
Otherwise it's simply asking to get hacked, because without naming
constraints and/or control over the issuance, you have no control over
what's being issued and what the relationship is between a SAML name and a
subject DN. There is nothing in SAML to do this, and there is no standard
way of expressing the right rules in SAML metadata (though there are
non-standard ways).

In short, a good number of SAML systems in the world have literally no
idea what they're doing and are operating unsafely. That is probably
unsurprising since you could s/SAML/anything in that sentence and be
accurate.

-- Scott